knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: KNOX-367: add support for new config param userSearchAttributeName
Date Wed, 14 May 2014 23:27:39 GMT
Repository: knox
Updated Branches:
  refs/heads/master 2b325edb0 -> 40dd19849


KNOX-367: add support for new config param userSearchAttributeName


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/40dd1984
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/40dd1984
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/40dd1984

Branch: refs/heads/master
Commit: 40dd1984971c96e4255ad95f093ae6309d4c0853
Parents: 2b325ed
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Wed May 14 16:18:01 2014 -0700
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Wed May 14 16:18:01 2014 -0700

----------------------------------------------------------------------
 .../gateway/shirorealm/KnoxLdapRealm.java       | 64 +++++++++++++++++++-
 .../gateway/shirorealm/KnoxLdapRealmTest.java   |  7 +++
 2 files changed, 70 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/40dd1984/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
index 94e5ede..09d8de7 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
@@ -134,6 +134,9 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     
     private boolean authorizationEnabled;
 
+    private String userSearchAttributeName;
+
+
     public KnoxLdapRealm() {
     }
     
@@ -330,7 +333,18 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     public void setAuthorizationEnabled(boolean authorizationEnabled) {
       this.authorizationEnabled = authorizationEnabled;
     }
-    
+
+    public String getUserSearchAttributeName() {
+        return userSearchAttributeName;
+    }
+
+    public void setUserSearchAttributeName(String userSearchAttributeName) {
+      if (userSearchAttributeName != null) {
+        userSearchAttributeName = userSearchAttributeName.trim();
+      }
+      this.userSearchAttributeName = userSearchAttributeName;
+    }
+
     private Map<String, List<String>> parsePermissionByRoleString(String permissionsByRoleStr)
{
       Map<String,List<String>> perms = new HashMap<String, List<String>>();
    
@@ -402,4 +416,52 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     return member;
   }
    
+    /**
+     * Returns the LDAP User Distinguished Name (DN) to use when acquiring an
+     * {@link javax.naming.ldap.LdapContext LdapContext} from the {@link LdapContextFactory}.
+     * <p/>
+     * If the the {@link #getUserDnTemplate() userDnTemplate} property has been set, this
implementation will construct
+     * the User DN by substituting the specified {@code principal} into the configured template.
 If the
+     * {@link #getUserDnTemplate() userDnTemplate} has not been set, the method argument
will be returned directly
+     * (indicating that the submitted authentication token principal <em>is</em>
the User DN).
+     *
+     * @param principal the principal to substitute into the configured {@link #getUserDnTemplate()
userDnTemplate}.
+     * @return the constructed User DN to use at runtime when acquiring an {@link javax.naming.ldap.LdapContext}.
+     * @throws IllegalArgumentException if the method argument is null or empty
+     * @throws IllegalStateException    if the {@link #getUserDnTemplate userDnTemplate}
has not been set.
+     * @see LdapContextFactory#getLdapContext(Object, Object)
+     */
+    @Override
+    protected String getUserDn(String principal) throws IllegalArgumentException, IllegalStateException
{
+      if (userSearchAttributeName == null || userSearchAttributeName.isEmpty()) {
+        return super.getUserDn(principal);
+      }
+
+      // search for userDn and return
+      String userDn = null;
+      LdapContext systemLdapCtx = null;
+      try {
+          systemLdapCtx = getContextFactory().getSystemLdapContext();
+          String searchFilter = String.format("(&(objectclass=%1$s)(%2$s=%3$s))", 
+              "person", userSearchAttributeName, principal);
+          final NamingEnumeration<SearchResult> searchResultEnum = systemLdapCtx.search(
+              searchBase, 
+              searchFilter,
+              SUBTREE_SCOPE);
+          if (searchResultEnum.hasMore()) { // searchResults contains all the groups in search
scope
+            SearchResult searchResult =  searchResultEnum.next();
+            return searchResult.getNameInNamespace();
+          } else {
+            throw new IllegalArgumentException("Illegal principal name: " + principal);
+          }
+      } catch (AuthenticationException e) {
+        LOG.failedToGetSystemLdapConnection(e);
+        throw new IllegalArgumentException("Illegal principal name: " + principal);
+      } catch (NamingException e) {
+        throw new IllegalArgumentException("Hit NamingException: " + e.getMessage());
+      } finally {
+          LdapUtils.closeContext(systemLdapCtx);
+      }
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/40dd1984/gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
b/gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
index e7cf7ab..94e88be 100644
--- a/gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
+++ b/gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
@@ -45,5 +45,12 @@ public class KnoxLdapRealmTest {
     assertEquals(realm.getMemberAttribute(), "member");
   }
   
+  @Test
+  public void setGetUserSearchAttributeName() {
+    KnoxLdapRealm realm = new KnoxLdapRealm();
+    realm.setUserSearchAttributeName("uid");
+    assertEquals(realm.getUserSearchAttributeName(), "uid");
+  }
+  
   
 }


Mime
View raw message