apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

[KYUUBI #712] add a new config property authentication.ldap.guidKey

Browse Source 
for fix issues : https://github.com/NetEase/kyuubi/issues/709

my ldap env use cn but uid for login, uid is the defaut behavior by kyuubi :
![image](https://user-images.githubusercontent.com/19989300/123198110-23e5f280-d4df-11eb-852e-b002dc6f06b2.png)

then try to connect kyuubi :
![image](https://user-images.githubusercontent.com/19989300/123198301-6f000580-d4df-11eb-8ff8-fc0687bfc18a.png)
![image](https://user-images.githubusercontent.com/19989300/123198383-98209600-d4df-11eb-943f-554b4077eba6.png)

change kyuubi behavior to use cn:

![image](https://user-images.githubusercontent.com/19989300/123198493-c900cb00-d4df-11eb-9d6b-2a717010523b.png)

then try to connect kyuubi :

![image](https://user-images.githubusercontent.com/19989300/123198615-01080e00-d4e0-11eb-9e6c-c5d84ada3a61.png)

Closes #712 from lordk911/branch-1.2.

Closes #712

0ab1a5b0 [kshen] add a new config property authentication.ldap.guidKey
24fb1bc3 [kshen] add a new config property authentication.ldap.guidKey

Authored-by: kshen <kshen@gaojihealth.com>
Signed-off-by: Kent Yao <yao@apache.org>
This commit is contained in:
kshen 2021-06-24 22:46:36 +08:00 committed by Kent Yao
parent a6ab236b33
commit 3b0852d0c6
No known key found for this signature in database
GPG Key ID: F7051850A0AF904D
3 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/deployment/settings.md
View File

@ -105,6 +105,7 @@ Key | Default | Meaning | Type | Since
kyuubi\.authentication|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>NONE</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>Client authentication types.<ul> <li>NOSASL: raw transport.</li> <li>NONE: no authentication check.</li> <li>KERBEROS: Kerberos/GSSAPI authentication.</li> <li>LDAP: Lightweight Directory Access Protocol authentication.</li></ul></div>|<div style='width: 30pt'>string</div>|<div style='width: 20pt'>1.0.0</div>
kyuubi\.authentication<br>\.ldap\.base\.dn|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>&lt;undefined&gt;</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>LDAP base DN.</div>|<div style='width: 30pt'>string</div>|<div style='width: 20pt'>1.0.0</div>
kyuubi\.authentication<br>\.ldap\.domain|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>&lt;undefined&gt;</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>LDAP domain.</div>|<div style='width: 30pt'>string</div>|<div style='width: 20pt'>1.0.0</div>
kyuubi\.authentication<br>\.ldap\.guidKey|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>uid</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>LDAP attribute name whose values are unique in this LDAP server.For example:uid or cn.</div>|<div style='width: 30pt'>string</div>|<div style='width: 20pt'>1.2.0</div>
kyuubi\.authentication<br>\.ldap\.url|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>&lt;undefined&gt;</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>SPACE character separated LDAP connection URL(s).</div>|<div style='width: 30pt'>string</div>|<div style='width: 20pt'>1.0.0</div>
kyuubi\.authentication<br>\.sasl\.qop|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>auth</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>Sasl QOP enable higher levels of protection for Kyuubi communication with clients.<ul> <li>auth - authentication only (default)</li> <li>auth-int - authentication plus integrity protection</li> <li>auth-conf - authentication plus integrity and confidentiality protection. This is applicable only if Kyuubi is configured to use Kerberos authentication.</li> </ul></div>|<div style='width: 30pt'>string</div>|<div style='width: 20pt'>1.0.0</div>

8
kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
View File

@ -314,6 +314,14 @@ object KyuubiConf {
.stringConf
.createOptional
val AUTHENTICATION_LDAP_GUIDKEY: ConfigEntry[String] =
buildConf("authentication.ldap.guidKey")
.doc("LDAP attribute name whose values are unique in this LDAP server." +
"For example:uid or cn.")
.version("1.2.0")
.stringConf
.createWithDefault("uid")
val DELEGATION_KEY_UPDATE_INTERVAL: ConfigEntry[Long] =
buildConf("delegation.key.update.interval")
.doc("unused yet")

3
kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala
View File

@ -64,8 +64,9 @@ class LdapAuthenticationProviderImpl(conf: KyuubiConf) extends PasswdAuthenticat
user
}
val guidKey = conf.get(AUTHENTICATION_LDAP_GUIDKEY)
val bindDn = conf.get(AUTHENTICATION_LDAP_BASEDN) match {
case Some(dn) => "uid=" + u + "," + dn
case Some(dn) => guidKey + "=" + u + "," + dn
case _ => u
}