knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kmin...@apache.org
Subject knox git commit: [KNOX-650] - Add posixGroups support for LDAP groups lookup
Date Tue, 19 Jan 2016 22:36:47 GMT
Repository: knox
Updated Branches:
  refs/heads/master 447b8fd7a -> 9619a398f


[KNOX-650] - Add posixGroups support for LDAP groups lookup


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/9619a398
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/9619a398
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/9619a398

Branch: refs/heads/master
Commit: 9619a398f9ed57d4cd7f705e73f100e85921bfdd
Parents: 447b8fd
Author: Kevin Minder <kevin.minder@hortonworks.com>
Authored: Tue Jan 19 17:22:02 2016 -0500
Committer: Kevin Minder <kevin.minder@hortonworks.com>
Committed: Tue Jan 19 17:26:47 2016 -0500

----------------------------------------------------------------------
 CHANGES                                         |   8 +
 .../ldap/SimpleLdapDirectoryServer.java         |  14 +
 .../gateway/shirorealm/KnoxLdapRealm.java       |   5 +
 .../gateway/GatewayLdapPosixGroupFuncTest.java  | 314 +++++++++++++++++++
 .../GatewayLdapPosixGroupFuncTest/users.ldif    | 106 +++++++
 5 files changed, 447 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 5916c6e..7cfc6db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,14 @@
 Release Notes - Apache Knox - Version 0.7.0
 ------------------------------------------------------------------------------
 ** New Feature
+** Improvement
+    * [KNOX-650] - Add posixGroups support for LDAP groups lookup
+** Bug
+
+------------------------------------------------------------------------------
+Release Notes - Apache Knox - Version 0.7.0
+------------------------------------------------------------------------------
+** New Feature
     * [KNOX-476] - implementation for X-Forwarded-* headers support and population
     * [KNOX-547] - KnoxCLI adds new validate-topology and list-topologies commands.
     * [KNOX-548] - KnoxCLI adds a new system-user-auth-test command to test a topology's
system username and password

http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
----------------------------------------------------------------------
diff --git a/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
b/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
index 139b83b..efa8df8 100644
--- a/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
+++ b/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
@@ -18,6 +18,10 @@
 package org.apache.hadoop.gateway.security.ldap;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.server.core.api.CoreSession;
 import org.apache.directory.server.core.api.DirectoryService;
 import org.apache.directory.server.core.api.partition.Partition;
@@ -50,6 +54,8 @@ public class SimpleLdapDirectoryServer {
     factory.init( UUID.randomUUID().toString() );
     service = factory.getDirectoryService();
 
+    enabledPosixSchema( service );
+
     Partition partition = factory.getPartitionFactory().createPartition(
         service.getSchemaManager(), "users", rootDn, 500, service.getInstanceLayout().getInstanceDirectory()
);
     service.addPartition( partition );
@@ -61,6 +67,14 @@ public class SimpleLdapDirectoryServer {
     server = new LdapServer();
     server.setTransports( transports );
     server.setDirectoryService( service );
+
+  }
+
+  private static void enabledPosixSchema( DirectoryService service ) throws LdapException
{
+    service.getSchemaManager().getLoadedSchema( "nis" ).enable();
+    service.getAdminSession().modify(
+        new Dn( "cn=nis,ou=schema" ),
+        new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, "m-disabled", "FALSE"
) );
   }
 
   public void start() throws Exception {

http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
index 1006053..888b6a9 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
@@ -133,6 +133,8 @@ public class KnoxLdapRealm extends JndiLdapRealm {
 
     private final static String  MEMBER_URL = "memberUrl";
 
+    private final static String POSIX_GROUP = "posixGroup";
+
     private static final String HASHING_ALGORITHM = "SHA-1";
 
     static {
@@ -303,6 +305,9 @@ public class KnoxLdapRealm extends JndiLdapRealm {
               }
             }
           } else {
+            if (groupObjectClass.equalsIgnoreCase(POSIX_GROUP)){
+              attrValue = memberAttributeValuePrefix + attrValue + memberAttributeValueSuffix;
+            }
             if (userLdapDn.equals(new LdapName(attrValue))) {
               groupNames.add(groupName);
               String roleName = roleNameFor(groupName);

http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java
new file mode 100644
index 0000000..b8d520f
--- /dev/null
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java
@@ -0,0 +1,314 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway;
+
+import com.mycila.xmltool.XMLDoc;
+import com.mycila.xmltool.XMLTag;
+import org.apache.directory.server.protocol.shared.transport.TcpTransport;
+import org.apache.hadoop.gateway.config.GatewayConfig;
+import org.apache.hadoop.gateway.security.ldap.SimpleLdapDirectoryServer;
+import org.apache.hadoop.gateway.services.DefaultGatewayServices;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.security.AliasService;
+import org.apache.hadoop.test.category.FunctionalTests;
+import org.apache.http.HttpStatus;
+import org.apache.log4j.Appender;
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.ServerSocket;
+import java.net.URL;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import static com.jayway.restassured.RestAssured.given;
+import static org.apache.hadoop.test.TestUtils.LOG_ENTER;
+import static org.apache.hadoop.test.TestUtils.LOG_EXIT;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+/**
+ * Functional test to verify : looking up ldap groups from directory 
+ * and using them in acl authorization checks
+ *
+ */
+@Category(FunctionalTests.class)
+public class GatewayLdapPosixGroupFuncTest {
+
+  private static final long SHORT_TIMEOUT = 2000L;
+  private static final long MEDIUM_TIMEOUT = 5 * 1000L;
+
+  private static Class RESOURCE_BASE_CLASS = GatewayLdapPosixGroupFuncTest.class;
+  private static Logger LOG = LoggerFactory.getLogger( GatewayLdapPosixGroupFuncTest.class
);
+
+  public static Enumeration<Appender> appenders;
+  public static GatewayConfig config;
+  public static GatewayServer gateway;
+  public static String gatewayUrl;
+  public static String clusterUrl;
+  public static SimpleLdapDirectoryServer ldap;
+  public static TcpTransport ldapTransport;
+
+  @BeforeClass
+  public static void setupSuite() throws Exception {
+    LOG_ENTER();
+    //appenders = NoOpAppender.setUp();
+    int port = setupLdap();
+    setupGateway(port);
+    LOG_EXIT();
+  }
+
+  @AfterClass
+  public static void cleanupSuite() throws Exception {
+    LOG_ENTER();
+    gateway.stop();
+    ldap.stop( true );
+    //FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) );
+    //NoOpAppender.tearDown( appenders );
+    LOG_EXIT();
+  }
+
+  public static int setupLdap() throws Exception {
+    URL usersUrl = getResourceUrl( "users.ldif" );
+    int port = findFreePort();
+    ldapTransport = new TcpTransport( port );
+    ldap = new SimpleLdapDirectoryServer( "dc=hadoop,dc=apache,dc=org", new File( usersUrl.toURI()
), ldapTransport );
+    ldap.start();
+    LOG.info( "LDAP port = " + ldapTransport.getPort() );
+    return port;
+  }
+
+  public static void setupGateway(int ldapPort) throws Exception {
+
+    File targetDir = new File( System.getProperty( "user.dir" ), "target" );
+    File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() );
+    gatewayDir.mkdirs();
+
+    GatewayTestConfig testConfig = new GatewayTestConfig();
+    config = testConfig;
+    testConfig.setGatewayHomeDir( gatewayDir.getAbsolutePath() );
+
+    File topoDir = new File( testConfig.getGatewayTopologyDir() );
+    topoDir.mkdirs();
+
+    File deployDir = new File( testConfig.getGatewayDeploymentDir() );
+    deployDir.mkdirs();
+
+    File descriptor = new File( topoDir, "test-cluster.xml" );
+    FileOutputStream stream = new FileOutputStream( descriptor );
+    createTopology(ldapPort).toStream( stream );
+    stream.close();
+
+    DefaultGatewayServices srvcs = new DefaultGatewayServices();
+    Map<String,String> options = new HashMap<String,String>();
+    options.put( "persist-master", "true" );
+    options.put( "master", "hadoop" );
+
+    try {
+      srvcs.init( testConfig, options );
+    } catch ( ServiceLifecycleException e ) {
+      e.printStackTrace(); // I18N not required.
+    }
+
+    gateway = GatewayServer.startGateway( testConfig, srvcs );
+    MatcherAssert.assertThat( "Failed to start gateway.", gateway, notNullValue() );
+
+    LOG.info( "Gateway port = " + gateway.getAddresses()[ 0 ].getPort() );
+
+    gatewayUrl = "http://localhost:" + gateway.getAddresses()[0].getPort() + "/" + config.getGatewayPath();
+    clusterUrl = gatewayUrl + "/test-cluster";
+
+    GatewayServices services = GatewayServer.getGatewayServices();
+    AliasService aliasService = (AliasService)services.getService(GatewayServices.ALIAS_SERVICE);
+    aliasService.addAliasForCluster("test-cluster", "ldcSystemPassword", "guest-password");
+
+    char[] password1 = aliasService.getPasswordFromAliasForCluster( "test-cluster", "ldcSystemPassword");
+
+    descriptor = new File( topoDir, "test-cluster.xml" );
+    stream = new FileOutputStream( descriptor );
+    createTopology(ldapPort).toStream( stream );
+    stream.close();
+
+    try {
+      Thread.sleep(5000);
+    } catch (Exception e) {
+
+    }
+  }
+
+  private static XMLTag createTopology(int ldapPort) {
+    XMLTag xml = XMLDoc.newDocument( true )
+        .addRoot( "topology" )
+        .addTag( "gateway" )
+
+        .addTag( "provider" )
+        .addTag( "role" ).addText( "authentication" )
+        .addTag( "name" ).addText( "ShiroProvider" )
+        .addTag( "enabled" ).addText( "true" )
+        .addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm" )
+        .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"
)
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapGroupContextFactory" )
+        .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"
)
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory" )
+        .addTag( "value" ).addText( "$ldapGroupContextFactory" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.authenticationMechanism"
)
+        .addTag( "value" ).addText( "simple" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.url" )
+        .addTag( "value" ).addText( "ldap://localhost:" + ldapPort )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.userDnTemplate" )
+        .addTag( "value" ).addText( "uid={0},ou=people,dc=hadoop,dc=apache,dc=org" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.authorizationEnabled" )
+        .addTag( "value" ).addText( "true" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemAuthenticationMechanism"
)
+        .addTag( "value" ).addText( "simple" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.searchBase" )
+        .addTag( "value" ).addText( "ou=groups,dc=hadoop,dc=apache,dc=org" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.groupObjectClass" )
+        .addTag( "value" ).addText( "posixGroup" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.memberAttribute" )
+        .addTag( "value" ).addText( "memberUid" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.memberAttributeValueTemplate" )
+        .addTag( "value" ).addText( "uid={0}" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.clusterName" )
+        .addTag( "value" ).addText( "test-cluster" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemUsername" )
+        .addTag( "value" ).addText( "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemPassword" )
+        .addTag( "value" ).addText( "S{ALIAS=ldcSystemPassword}" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "urls./**" )
+        .addTag( "value" ).addText( "authcBasic" )
+
+        .gotoParent().gotoParent().addTag( "provider" )
+        .addTag( "role" ).addText( "authorization" )
+        .addTag( "name" ).addText( "AclsAuthz" )
+        .addTag( "enabled" ).addText( "true" )
+        .addTag( "param" )
+        .addTag( "name" ).addText( "test-service-role.acl" )
+        .addTag( "value" ).addText( "*;analyst;*" )
+
+        .gotoParent().gotoParent().addTag( "provider" )
+        .addTag( "role" ).addText( "identity-assertion" )
+        .addTag( "enabled" ).addText( "true" )
+        .addTag( "name" ).addText( "Default" ).gotoParent()
+
+        .gotoRoot()
+        .addTag( "service" )
+        .addTag( "role" ).addText( "test-service-role" )
+        .gotoRoot();
+
+    return xml;
+  }
+
+  private static int findFreePort() throws IOException {
+    ServerSocket socket = new ServerSocket(0);
+    int port = socket.getLocalPort();
+    socket.close();
+    return port;
+  }
+
+  public static InputStream getResourceStream( String resource ) throws IOException {
+    return getResourceUrl( resource ).openStream();
+  }
+
+  public static URL getResourceUrl( String resource ) {
+    URL url = ClassLoader.getSystemResource( getResourceName( resource ) );
+    assertThat( "Failed to find test resource " + resource, url, Matchers.notNullValue()
);
+    return url;
+  }
+
+  public static String getResourceName( String resource ) {
+    return getResourceBaseName() + resource;
+  }
+
+  public static String getResourceBaseName() {
+    return RESOURCE_BASE_CLASS.getName().replaceAll( "\\.", "/" ) + "/";
+  }
+
+  @Ignore
+  // @Test
+  public void waitForManualTesting() throws IOException {
+    System.in.read();
+  }
+
+  @Test( timeout = MEDIUM_TIMEOUT )
+  public void testGroupMember() throws ClassNotFoundException, Exception {
+    LOG_ENTER();
+    String username = "sam";
+    String password = "sam-password";
+    String serviceUrl =  clusterUrl + "/test-service-path/test-service-resource";
+    given()
+        //.log().all()
+        .auth().preemptive().basic( username, password )
+        .expect()
+        //.log().all()
+        .statusCode( HttpStatus.SC_OK )
+        .contentType( "text/plain" )
+        .body( is( "test-service-response" ) )
+        .when().get( serviceUrl );
+    LOG_EXIT();
+  }
+
+  @Test( timeout = MEDIUM_TIMEOUT )
+  public void testNonGroupMember() throws ClassNotFoundException {
+    LOG_ENTER();
+    String username = "guest";
+    String password = "guest-password";
+    String serviceUrl =  clusterUrl + "/test-service-path/test-service-resource";
+    given()
+        //.log().all()
+        .auth().preemptive().basic( username, password )
+        .expect()
+        //.log().all()
+        .statusCode( HttpStatus.SC_FORBIDDEN )
+        .when().get( serviceUrl );
+    LOG_EXIT();
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif
b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif
new file mode 100644
index 0000000..b7ef6e2
--- /dev/null
+++ b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif
@@ -0,0 +1,106 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This ldif file is provided as a template to illustrate
+# use of posix style ldapgroup(s)
+
+version: 1
+
+# Sample root for entries
+dn: dc=hadoop,dc=apache,dc=org
+objectclass: organization
+objectclass: dcObject
+o: Hadoop
+dc: hadoop
+
+# Sample people container
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# Sample user
+dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+objectclass:posixAccount
+cn:Guest
+sn:User
+uid:guest
+uidNumber:1000
+gidNumber:101
+userPassword:guest-password
+homeDirectory:/home/guest
+
+# Sample user sam
+dn:uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+objectclass:posixAccount
+cn:sam
+sn:sam
+uid:sam
+uidNumber:1001
+gidNumber:101
+userPassword:sam-password
+homeDirectory:/home/sam
+
+# Sample user tom
+dn:uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+objectclass:posixAccount
+cn:tom
+sn:tom
+uid:tom
+uidNumber:1002
+gidNumber:100
+userPassword:tom-password
+homeDirectory:/home/tom
+
+# Create groups branch
+dn:ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou:groups
+description:generic groups branch
+
+# Create the analyst group under groups
+dn:cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:posixGroup
+cn:analyst
+gidNumber:100
+description:analyst group
+memberUid:sam
+memberUid:tom
+
+
+# Create the scientist group under groups
+dn:cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:posixGroup
+cn:scientist
+gidNumber:101
+description:scientist group
+memberUid:sam
+


Mime
View raw message