This is an automated email from the ASF dual-hosted git repository. nic pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/master by this push: new dca6b80 KYLIN-4481 Project-level ACL lookups not working for non-admin SAML-federated users dca6b80 is described below commit dca6b8055a31ba1f31d188efc2fd57cf710da5e7 Author: andrewcheng <andrewch...@tencent.com> AuthorDate: Thu May 7 16:27:44 2020 +0800 KYLIN-4481 Project-level ACL lookups not working for non-admin SAML-federated users --- .../apache/kylin/rest/security/SAMLUserDetailsService.java | 11 +++++++++++ .../rest/security/saml/SAMLSimpleUserDetailsService.java | 8 +++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java b/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java index 24f8243..29583ff 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java @@ -22,6 +22,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl; import org.springframework.security.ldap.userdetails.LdapUserDetailsService; import org.springframework.security.saml.SAMLCredential; @@ -46,6 +47,16 @@ public class SAMLUserDetailsService implements org.springframework.security.saml UserDetails userDetails = null; try { userDetails = ldapUserDetailsService.loadUserByUsername(userName); + if (userDetails instanceof LdapUserDetailsImpl) { + LdapUserDetailsImpl.Essence essence = new LdapUserDetailsImpl.Essence(); + essence.setDn(((LdapUserDetailsImpl) userDetails).getDn()); + essence.setUsername(userEmail); + essence.setPassword(userDetails.getPassword()); + essence.setAuthorities(userDetails.getAuthorities()); + essence.setTimeBeforeExpiration(((LdapUserDetailsImpl) userDetails).getTimeBeforeExpiration()); + essence.setGraceLoginsRemaining(((LdapUserDetailsImpl) userDetails).getGraceLoginsRemaining()); + userDetails = essence.createUserDetails(); + } } catch (org.springframework.security.core.userdetails.UsernameNotFoundException e) { logger.error("User not found in LDAP, check whether he/she has been added to the groups.", e); } diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java b/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java index e375872..dba968a 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java @@ -50,15 +50,13 @@ public class SAMLSimpleUserDetailsService implements org.springframework.securit public Object loadUserBySAML(SAMLCredential samlCredential) throws UsernameNotFoundException { final String userEmail = samlCredential.getAttributeAsString("email"); logger.debug("samlCredential.email:" + userEmail); - final String userName = userEmail.substring(0, userEmail.indexOf("@")); - KylinUserManager userManager = KylinUserManager.getInstance(KylinConfig.getInstanceFromEnv()); - ManagedUser existUser = userManager.get(userName); + ManagedUser existUser = userManager.get(userEmail); // create if not exists if (existUser == null) { - ManagedUser user = new ManagedUser(userName, NO_EXISTENCE_PASSWORD, true, defaultAuthorities); + ManagedUser user = new ManagedUser(userEmail, NO_EXISTENCE_PASSWORD, true, defaultAuthorities); userManager.update(user); } - return userManager.get(userName); + return userManager.get(userEmail); } }