knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: KNOX-391-392: KnoxLdaRealm should use LdapName.equals for groupDn compare
Date Fri, 30 May 2014 22:05:47 GMT
Repository: knox
Updated Branches:
  refs/heads/master d7badf47b -> 86a37bbc3


KNOX-391-392: KnoxLdaRealm should use LdapName.equals for groupDn compare


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/86a37bbc
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/86a37bbc
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/86a37bbc

Branch: refs/heads/master
Commit: 86a37bbc3254a51f140474a8fd41dac3febe8be5
Parents: d7badf4
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Fri May 30 14:59:06 2014 -0700
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Fri May 30 14:59:06 2014 -0700

----------------------------------------------------------------------
 .../hadoop/gateway/shirorealm/KnoxLdapRealm.java   | 17 +++++++++--------
 .../org/apache/hadoop/gateway/GatewayMessages.java |  4 ++++
 2 files changed, 13 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/86a37bbc/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
index a71fb30..79c721d 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
@@ -206,7 +206,7 @@ public class KnoxLdapRealm extends JndiLdapRealm {
         // save role names and group names in session so that they can be easily looked up
outside of this object
         SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roleNames);
         SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, groupNames);
-        
+        LOG.lookedUpUserRoles(roleNames, userName);
         return roleNames;
     }
 
@@ -221,6 +221,7 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     } else {
       userDn = getUserDn(userName);
     }
+    LdapName userLdapDn = new LdapName(userDn);
     Attribute attribute = group.getAttributes().get(getGroupIdAttribute()); 
     String groupName = attribute.get().toString();
     
@@ -235,7 +236,7 @@ public class KnoxLdapRealm extends JndiLdapRealm {
       while (e.hasMore()) {
         String attrValue = e.next().toString();
         if (memberAttribute.equalsIgnoreCase(MEMBER_URL)) {
-          boolean dynamicGroupMember = isUserMemberOfDynamicGroup(userDn, 
+          boolean dynamicGroupMember = isUserMemberOfDynamicGroup(userLdapDn, 
               attrValue, // memberUrl value
               ldapContextFactory);
           if (dynamicGroupMember) {
@@ -248,7 +249,7 @@ public class KnoxLdapRealm extends JndiLdapRealm {
             }
           }
         } else {
-          if (userDn.equals(attrValue)) {
+          if (userLdapDn.equals(new LdapName(attrValue))) {
          
             groupNames.add(groupName);
             String roleName = roleNameFor(groupName);
@@ -407,7 +408,7 @@ public class KnoxLdapRealm extends JndiLdapRealm {
       return perms;
   }
 
-  boolean isUserMemberOfDynamicGroup(String userDnString, String memberUrl,
+  boolean isUserMemberOfDynamicGroup(LdapName userLdapDn, String memberUrl,
       final LdapContextFactory ldapContextFactory) throws NamingException {
 
     // ldap://host:port/dn?attributes?scope?filter?extensions
@@ -428,16 +429,16 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     String searchFilter = tokens[3];
 
     LdapName searchBaseDn = new LdapName(searchBaseString);
-    LdapName userDn = new LdapName(userDnString);
+   
     // do scope test
     if (searchScope.equalsIgnoreCase("base")) {
       return false;
     }
-    if (!userDn.toString().endsWith(searchBaseDn.toString())) {
+    if (!userLdapDn.toString().endsWith(searchBaseDn.toString())) {
       return false;
     }
     if (searchScope.equalsIgnoreCase("one")
-        && (userDn.size() != searchBaseDn.size() - 1)) {
+        && (userLdapDn.size() != searchBaseDn.size() - 1)) {
       return false;
     }
     // search for the filter, substituting base with userDn
@@ -445,7 +446,7 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     LdapContext systemLdapCtx = null;
     systemLdapCtx = ldapContextFactory.getSystemLdapContext();
     final NamingEnumeration<SearchResult> searchResultEnum = systemLdapCtx
-        .search(userDn, searchFilter,
+        .search(userLdapDn, searchFilter,
             searchScope.equalsIgnoreCase("sub") ? SUBTREE_SCOPE
                 : ONELEVEL_SCOPE);
     if (searchResultEnum.hasMore()) {

http://git-wip-us.apache.org/repos/asf/knox/blob/86a37bbc/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
index 9abc835..02c87bf 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
@@ -29,6 +29,7 @@ import java.io.File;
 import java.net.URI;
 import java.util.Date;
 import java.util.Map;
+import java.util.Set;
 
 /**
  *
@@ -322,4 +323,7 @@ public interface GatewayMessages {
   @Message( level = MessageLevel.INFO, text = "Computed userDn: {0} using ldapSearch for
principal: {1}" )
   void searchedAndFoundUserDn(String userDn, String principal);
 
+  @Message( level = MessageLevel.INFO, text = "Computed roles/groups: {0} for principal:
{1}" )
+  void lookedUpUserRoles(Set<String> roleNames, String userName);
+
 }


Mime
View raw message