Repository: ambari Updated Branches: refs/heads/trunk b571e4a0b -> 3d3f06ad8
AMBARI-16205. Disable alternate user search functionality by default. (stoader) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/3d3f06ad Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/3d3f06ad Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/3d3f06ad Branch: refs/heads/trunk Commit: 3d3f06ad83188e086564a60b687e35a1956258b0 Parents: b571e4a Author: Toader, Sebastian <stoa...@hortonworks.com> Authored: Tue May 3 14:53:44 2016 +0200 Committer: Toader, Sebastian <stoa...@hortonworks.com> Committed: Tue May 3 14:53:44 2016 +0200 ---------------------------------------------------------------------- .../server/configuration/Configuration.java | 24 ++++++++++++ .../AmbariLdapAuthenticationProvider.java | 8 +++- .../server/configuration/ConfigurationTest.java | 41 ++++++++++++++++++++ ...henticationProviderForDuplicateUserTest.java | 31 ++++++++++++++- .../AmbariLdapAuthenticationProviderTest.java | 11 ++++-- 5 files changed, 107 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 87f40d5..51ada16 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -198,6 +198,13 @@ public class Configuration { public static final String LDAP_USER_SEARCH_FILTER_KEY = "authentication.ldap.userSearchFilter"; /** + * This configuration controls whether the use of alternate user search filter is enabled. + * + * If it is not set then the default + */ + public static final String LDAP_ALT_USER_SEARCH_ENABLED_KEY = "authentication.ldap.alternateUserSearchEnabled"; + + /** * When authentication through LDAP is enabled there might be cases when {@link #LDAP_USER_SEARCH_FILTER_KEY} * may match multiple users in LDAP. In such cases the user is prompted to provide additional info, e.g. the domain * he or she wants ot log in upon login beside the username. This filter will be used by Ambari Server to lookup @@ -488,6 +495,19 @@ public class Configuration { private static final String LDAP_GROUP_NAMING_ATTR_DEFAULT = "cn"; private static final String LDAP_GROUP_MEMBERSHIP_ATTR_DEFAULT = "member"; private static final String LDAP_ADMIN_GROUP_MAPPING_RULES_DEFAULT = "Ambari Administrators"; + + /** + * If the default LDAP user search filter is not able to find the authenticating user + * in LDAP than Ambari can fall back an alternative user search filter if this + * functionality is enabled. Whether this functionality is enabled or disabled + * can be controlled via {@link #LDAP_ALT_USER_SEARCH_ENABLED_KEY}. + * + * If {@link #LDAP_ALT_USER_SEARCH_ENABLED_KEY} not provided in ambari properties + * than the functionality is disabled by default. + * + */ + protected static final String LDAP_ALT_USER_SEARCH_ENABLED_DEFAULT = "false"; + /** * When authentication through LDAP is enabled then Ambari Server uses this filter by default to lookup * the user in LDAP if one not provided in the config via {@link #LDAP_USER_SEARCH_FILTER_KEY}. @@ -2933,4 +2953,8 @@ public class Configuration { String udpPort = properties.getProperty(ALERTS_SNMP_DISPATCH_UDP_PORT); return StringUtils.isEmpty(udpPort) ? null : Integer.parseInt(udpPort); } + + public boolean isLdapAlternateUserSearchEnabled() { + return Boolean.parseBoolean(properties.getProperty(LDAP_ALT_USER_SEARCH_ENABLED_KEY, LDAP_ALT_USER_SEARCH_ENABLED_DEFAULT)); + } } http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java index 7b2a95c..da47407 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java @@ -80,7 +80,11 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider } throw e; } catch (IncorrectResultSizeDataAccessException multipleUsersFound) { - throw new DuplicateLdapUserFoundAuthenticationException(String.format("Login Failed: Please append your domain to your username and try again. Example: %s@domain", username)); + String message = configuration.isLdapAlternateUserSearchEnabled() ? + String.format("Login Failed: Please append your domain to your username and try again. Example: %s@domain", username) : + "Login Failed: More than one user with that username found, please work with your Ambari Administrator to adjust your LDAP configuration"; + + throw new DuplicateLdapUserFoundAuthenticationException(message); } } else { return null; @@ -175,7 +179,7 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider private String getLdapUserSearchFilter(String userName) { return ldapServerProperties.get() - .getUserSearchFilter(AmbariLdapUtils.isUserPrincipalNameFormat(userName)); + .getUserSearchFilter(configuration.isLdapAlternateUserSearchEnabled() && AmbariLdapUtils.isUserPrincipalNameFormat(userName)); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java index 99ec786..f635f1b 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java @@ -714,4 +714,45 @@ public class ConfigurationTest { Assert.assertEquals("test_uid={5}", actualLdapUserSearchFilter); } + @Test + public void testAlternateUserSearchEnabledDefault() throws Exception { + // Given + final Properties ambariProperties = new Properties(); + final Configuration configuration = new Configuration(ambariProperties); + + // When + boolean actual = configuration.isLdapAlternateUserSearchEnabled(); + + // Then + Assert.assertEquals(false, actual); + } + + @Test + public void testAlternateUserSearchEnabledTrue() throws Exception { + // Given + final Properties ambariProperties = new Properties(); + final Configuration configuration = new Configuration(ambariProperties); + ambariProperties.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true"); + + // When + boolean actual = configuration.isLdapAlternateUserSearchEnabled(); + + // Then + Assert.assertEquals(true, actual); + } + + @Test + public void testAlternateUserSearchEnabledFalse() throws Exception { + // Given + final Properties ambariProperties = new Properties(); + final Configuration configuration = new Configuration(ambariProperties); + ambariProperties.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "false"); + + // When + boolean actual = configuration.isLdapAlternateUserSearchEnabled(); + + // Then + Assert.assertEquals(false, actual); + } + } http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java index f5d1412..43f860e 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java @@ -33,6 +33,7 @@ import org.easymock.MockType; import org.junit.Before; import org.junit.Rule; import org.junit.Test; +import org.junit.rules.ExpectedException; import org.junit.runner.RunWith; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; @@ -64,6 +65,9 @@ public class AmbariLdapAuthenticationProviderForDuplicateUserTest extends Ambari @Rule public EasyMockRule mocks = new EasyMockRule(this); + @Rule + public ExpectedException expectedException = ExpectedException.none(); + @Mock(type = MockType.NICE) private AmbariLdapAuthoritiesPopulator authoritiesPopulator; @@ -85,10 +89,14 @@ public class AmbariLdapAuthenticationProviderForDuplicateUserTest extends Ambari authenticationProvider = new AmbariLdapAuthenticationProvider(configuration, authoritiesPopulator); } - @Test(expected = DuplicateLdapUserFoundAuthenticationException.class) - public void testAuthenticateDuplicateUser() throws Exception { + @Test + public void testAuthenticateDuplicateUserAltUserSearchDisabled() throws Exception { // Given Authentication authentication = new UsernamePasswordAuthenticationToken("user_dup", "password"); + authenticationProvider.configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "false"); + + expectedException.expect(DuplicateLdapUserFoundAuthenticationException.class); + expectedException.expectMessage("Login Failed: More than one user with that username found, please work with your Ambari Administrator to adjust your LDAP configuration"); // When authenticationProvider.authenticate(authentication); @@ -96,5 +104,24 @@ public class AmbariLdapAuthenticationProviderForDuplicateUserTest extends Ambari // Then // DuplicateLdapUserFoundAuthenticationException should be thrown + + } + + @Test + public void testAuthenticateDuplicateUserAltUserSearchEnabled() throws Exception { + // Given + Authentication authentication = new UsernamePasswordAuthenticationToken("user_dup", "password"); + authenticationProvider.configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true"); + + expectedException.expect(DuplicateLdapUserFoundAuthenticationException.class); + expectedException.expectMessage("Login Failed: Please append your domain to your username and try again. Example: user_dup@domain"); + + // When + authenticationProvider.authenticate(authentication); + + // Then + // DuplicateLdapUserFoundAuthenticationException should be thrown + + } } http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java index b076e85..6d4ec60 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java @@ -95,6 +95,7 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati injector.getInstance(GuiceJpaInitializer.class); configuration.setClientSecurityType(ClientSecurityType.LDAP); configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_FILTER_KEY, "(&(mail={0})(objectClass={userObjectClass}))"); + configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "false"); } @After @@ -198,9 +199,9 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati @Test public void testAuthenticateLoginAlias() throws Exception { // Given - assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser")); + assertNull("User already exists in DB", userDAO.findLdapUserByName("allowedUser")); Authentication authentication = new UsernamePasswordAuthenticationToken("allowedu...@ambari.apache.org", "password"); - + configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true"); // When Authentication result = authenticationProvider.authenticate(authentication); @@ -212,8 +213,9 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati @Test(expected = BadCredentialsException.class) public void testBadCredentialsForMissingLoginAlias() throws Exception { // Given - assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser")); + assertNull("User already exists in DB", userDAO.findLdapUserByName("allowedUser")); Authentication authentication = new UsernamePasswordAuthenticationToken("missingloginal...@ambari.apache.org", "password"); + configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true"); // When @@ -227,8 +229,9 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati @Test(expected = BadCredentialsException.class) public void testBadCredentialsBadPasswordForLoginAlias() throws Exception { // Given - assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser")); + assertNull("User already exists in DB", userDAO.findLdapUserByName("allowedUser")); Authentication authentication = new UsernamePasswordAuthenticationToken("allowedu...@ambari.apache.org", "bad_password"); + configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true"); // When