ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sailaja Polavarapu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1554) Ranger AD search filter is not get honored when logging into admin UI
Date Tue, 02 May 2017 21:20:04 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15993778#comment-15993778

Sailaja Polavarapu commented on RANGER-1554:

The spring framework version that is used in ranger has a bug where the search filter is hard
coded to "(&(objectClass=user)(userPrincipalName=
))" and has no api to overwrite this value. This will let all the users in the root domain
(derived from the domain name in the configuration) to authenticate as long as the password
is valid.
Currenly Ranger uses 3.1.3 release version for springframework security. Looks like this is
fixed in 3.2.7 onwards where there is an API to modify the search filter. 

> Ranger AD search filter is not get honored when logging into admin UI
> ---------------------------------------------------------------------
>                 Key: RANGER-1554
>                 URL: https://issues.apache.org/jira/browse/RANGER-1554
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 0.7.0
>            Reporter: Sailaja Polavarapu
>            Assignee: Sailaja Polavarapu
>             Fix For: 1.0.0
> In order to allow only users of a particular group to login to Ranger Admin UI, we set
the search filter as below in ranger-admin-site.xml :
> —
> <property>
> <name>ranger.ldap.user.searchfilter</name>
> <value>(&(sAMAccountName=
> {0})(memberOf=CN=grp1,OU=groups1,DC=apache,DC=org))</value>
> </property>
> —
> But still the users from other groups like grp2 are able to login to ranger admin UI.

This message was sent by Atlassian JIRA

View raw message