Rafael Felix Correa created KYLIN-4481:
------------------------------------------
Summary: Project-level ACL lookups not working for non-admin
SAML-federated users
Key: KYLIN-4481
URL: https://issues.apache.org/jira/browse/KYLIN-4481
Project: Kylin
Issue Type: Bug
Components: Security
Affects Versions: v3.0.1, v2.6.5
Reporter: Rafael Felix Correa
Steps to reproduce:
* setup kylin with SAML as described in
[http://kylin.apache.org/docs/howto/howto_ldap_and_sso.html]. kylin.properties:
{code:java}
kylin.security.profile=saml
kylin.security.acl.admin-role=Kylin_Admins
kylin.security.ldap.connection-server=ldap://openldap:389
kylin.security.ldap.connection-username=cn=admin,dc=example,dc=org
# set kylin.security.ldap.connection-password appropriately
kylin.security.ldap.user-search-base=ou=people,dc=example,dc=org
kylin.security.ldap.user-search-pattern=(uid={0})
kylin.security.ldap.user-group-search-base=ou=groups,dc=example,dc=org
kylin.security.saml.context-context-path=/kylin
kylin.security.saml.context-scheme=https
kylin.security.saml.context-server-name=kylin.validdomain.com
kylin.security.saml.context-server-port=443
kylin.security.saml.metadata-entity-base-url=https://kylin.validdomain.com/kylin{code}
* on the LDAP server, make sure you have the following objects in place:
{code:java}
# example.user, people, example.org
dn: uid=example.user,ou=people,dc=example,dc=org
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 10000
uidNumber: 5000
cn: Does not matter
homeDirectory: /home/doesntmatter
uid: example.user{code}
*
{code:java}
# Kylin_Users, groups, example.org
dn: cn=Kylin_Users,ou=groups,dc=example,dc=org
objectClass: top
objectClass: groupOfNames
cn: Kylin_Users
member: uid=example.user,ou=people,dc=example,dc=org{code}
* as an ADMIN, create a sample project in kylin and grant QUERY, MANAGEMENT or
OPERATION access to example.user.
* now, try logging into kylin.validdomain.com's Web UI as
[example.u...@validdomain.com.|mailto:example.u...@validdomain.com.]
Expected result:
* example.user is logged in, able to select the project from the dropdown box
at the top left corner and navigate through its properties.
Actual result:
* example.user is logged in, but no projects are listed in the dropdown box.
As if he/she had no permissions in any project.
With LDAP-pure installations (no SAML), this configuration works as expected.
Worth noting:
[https://github.com/apache/kylin/blob/kylin-3.0.1/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java#L40-L54]
splits the user in the '@' char for performing LDAP lookups. However, by
editing kylin_metadata manually and appending the @validdomain.com to the
corresponding object under /acls, the lookup works as it should and the
non-admin user gets to access the sample project.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
