[jira] [Created] (KYLIN-5298) Kylin Ldap not enforcing role Authorities

Fri, 18 Nov 2022 09:32:23 -0800 

Rohan Nimmagadda created KYLIN-5298:
---------------------------------------

             Summary: Kylin Ldap not enforcing role Authorities
                 Key: KYLIN-5298
                 URL: https://issues.apache.org/jira/browse/KYLIN-5298
             Project: Kylin
          Issue Type: Bug
          Components: Others, Security
    Affects Versions: v4.0.2
            Reporter: Rohan Nimmagadda


After enabling Ldap with following changes , Kylin is not enforcing pre-defined 
roles to login to UI with Ldap accounts tested on V4.0.3 and V4.0.2 getting 
same behavior 

Here are the properties in kylin.properties 
{code:java}
kylin.security.profile=ldap
kylin.security.acl.admin-role=admin_group
kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=target,DC=com
kylin.security.ldap.connection-password=Encrypted_password
kylin.security.ldap.connection-truststore=/cacerts
# LDAP user account directory;
kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
kylin.security.ldap.user-search-pattern=sAMAccountName={0}
kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
kylin.security.ldap.user-group-search-filter=(|(sAMAccountName={0})(sAMAccountNameUid={1}))
# LDAP service account directory
kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
kylin.security.ldap.service-search-pattern=sAMAccountName={0}
kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
 {code}
 

With above settings when tried to login the UI we are getting below exception 
with no Authorities 

 
{code:java}
2022-11-18 11:20:26,119 DEBUG [http-nio-7070-exec-1] 
security.KylinAuthenticationProvider:126 : Authenticated user 
UsernamePasswordAuthenticationToken 
[Principal=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@47a6c9ab:
 Dn: cn=USER,ou=Employees,ou=People,dc=corp,dc=my_company,dc=com; Username: 
USER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; 
CredentialsNonExpired: true; AccountNonLocked: true; Not granted any 
authorities, Credentials=[PROTECTED], Authenticated=true, 
Details=WebAuthenticationDetails [RemoteIpAddress=10.XX.XX.XXX, 
SessionId=null], Granted Authorities=[]] {code}

As per documentation _the kylin.security.acl.default-role is deprecated. It not 
enforcing any Kylin Authorities_ 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to