@Override public void apply(DirSearch client, String user) throws AuthenticationException { List<String> resultList; try { resultList = client.executeCustomQuery(query); } catch (NamingException e) { throw new AuthenticationException("LDAP Authentication failed for user", e); } if (resultList != null) { for (String matchedDn : resultList) { String shortUserName = LdapUtils.getShortName(matchedDn); LOG.info("<queried user=" + shortUserName + ",user=" + user + ">"); if (shortUserName.equalsIgnoreCase(user) || matchedDn.equalsIgnoreCase(user)) { LOG.info("Authentication succeeded based on result set from LDAP query"); return; } } } LOG.info("Authentication failed based on result set from custom LDAP query"); throw new AuthenticationException("Authentication failed: LDAP query " + "from property returned no data"); } }
@Test public void testAuthenticateWhenUserMembershipKeyFilterPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "HIVE-USERS"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN, "dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); String groupDn = "cn=HIVE-USERS,ou=Groups,dc=mycorp,dc=com"; when(search.findGroupDn("HIVE-USERS")).thenReturn(groupDn); when(search.isUserMemberOfGroup("user1", groupDn)).thenReturn(true); auth = new LdapAuthenticationProviderImpl(conf, factory); auth.Authenticate("user1", "Blah"); verify(factory, times(1)).getInstance(isA(HiveConf.class), anyString(), eq("Blah")); verify(search, times(1)).findGroupDn(anyString()); verify(search, times(1)).isUserMemberOfGroup(anyString(), anyString()); verify(search, atLeastOnce()).close(); }
@Override public void apply(DirSearch ldap, String user) throws AuthenticationException { LOG.info("Authenticating user '{}' using {}", user, GroupMembershipKeyFilter.class.getSimpleName()); List<String> memberOf = null; try { String userDn = ldap.findUserDn(user); memberOf = ldap.findGroupsForUser(userDn); LOG.debug("User {} member of : {}", userDn, memberOf); } catch (NamingException e) { throw new AuthenticationException("LDAP Authentication failed for user", e); } for (String groupDn : memberOf) { String shortName = LdapUtils.getShortName(groupDn); if (groupFilter.contains(shortName)) { LOG.debug("GroupMembershipKeyFilter passes: user '{}' is a member of '{}' group", user, groupDn); LOG.info("Authentication succeeded based on group membership"); return; } } LOG.info("Authentication failed based on user membership"); throw new AuthenticationException("Authentication failed: " + "User not a member of specified list"); } }
for (String groupId : groupFilter) { try { String groupDn = ldap.findGroupDn(groupId); groupDns.add(groupDn); } catch (NamingException e) { if (ldap.isUserMemberOfGroup(user, groupDn)) { LOG.debug("UserMembershipKeyFilter passes: user '{}' is a member of '{}' group", user, groupDn);
@Test public void testAuthenticateWhenUserMembershipKeyFilterFails() throws NamingException, AuthenticationException, IOException { thrown.expect(AuthenticationException.class); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "HIVE-USERS"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN, "dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); String groupDn = "cn=HIVE-USERS,ou=Groups,dc=mycorp,dc=com"; when(search.findGroupDn("HIVE-USERS")).thenReturn(groupDn); when(search.isUserMemberOfGroup("user1", groupDn)).thenReturn(false); auth = new LdapAuthenticationProviderImpl(conf, factory); auth.Authenticate("user1", "Blah"); }
@Override public void apply(DirSearch client, String user) throws AuthenticationException { try { String userDn = client.findUserDn(user); // This should not be null because we were allowed to bind with this username // safe check in case we were able to bind anonymously. if (userDn == null) { throw new AuthenticationException("Authentication failed: User search failed"); } } catch (NamingException e) { throw new AuthenticationException("LDAP Authentication failed for user", e); } } }
@Test public void testAuthenticateWhenCustomQueryFilterFailsAndUserFilterPasses() throws NamingException, AuthenticationException, IOException { thrown.expect(AuthenticationException.class); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN, "dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_CUSTOMLDAPQUERY, "(&(objectClass=person)(|(memberOf=CN=Domain Admins,CN=Users,DC=apache,DC=org)(memberOf=CN=Administrators,CN=Builtin,DC=apache,DC=org)))"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER, "user3"); when(search.findUserDn("user3")).thenReturn("cn=user3,ou=PowerUsers,dc=mycorp,dc=com"); when(search.executeCustomQuery(anyString())).thenReturn(Arrays.asList( "cn=user1,ou=PowerUsers,dc=mycorp,dc=com", "cn=user2,ou=PowerUsers,dc=mycorp,dc=com")); authenticateUserAndCheckSearchIsClosed("user3"); }
@Test public void testAuthenticateNoUserOrGroupFilter() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN, "cn=%s,ou=Users,dc=mycorp,dc=com:cn=%s,ou=PowerUsers,dc=mycorp,dc=com"); DirSearchFactory factory = mock(DirSearchFactory.class); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); when(factory.getInstance(conf, "cn=user1,ou=PowerUsers,dc=mycorp,dc=com", "Blah")).thenReturn(search); when(factory.getInstance(conf, "cn=user1,ou=Users,dc=mycorp,dc=com", "Blah")).thenThrow(AuthenticationException.class); auth = new LdapAuthenticationProviderImpl(conf, factory); auth.Authenticate("user1", "Blah"); verify(factory, times(2)).getInstance(isA(HiveConf.class), anyString(), eq("Blah")); verify(search, atLeastOnce()).close(); }
@Test(expected = AuthenticationException.class) public void testUserMembershipKeyFilterApplyNegative() throws AuthenticationException, NamingException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "Group1,Group2"); when(search.findGroupDn("Group1")).thenReturn("cn=Group1,dc=a,dc=b"); when(search.findGroupDn("Group2")).thenReturn("cn=Group2,dc=a,dc=b"); Filter filter = factory.getInstance(conf); filter.apply(search, "User1"); } }
@Test(expected = AuthenticationException.class) public void testGroupMembershipKeyFilterApplyNegative() throws AuthenticationException, NamingException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "HiveUsers"); when(search.findGroupsForUser(eq("user1"))).thenReturn(Arrays.asList("SuperUsers", "Office1", "G1", "G2")); Filter filter = factory.getInstance(conf); filter.apply(search, "user1"); }
private void authenticateUserAndCheckSearchIsClosed(String user) throws IOException { auth = new LdapAuthenticationProviderImpl(conf, factory); try { auth.Authenticate(user, "password doesn't matter"); } finally { verify(search, atLeastOnce()).close(); } } }
@Test public void testUserMembershipKeyFilterApplyPositiveWithUserId() throws AuthenticationException, NamingException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "Group1,Group2"); when(search.findGroupDn("Group1")).thenReturn("cn=Group1,dc=a,dc=b"); when(search.findGroupDn("Group2")).thenReturn("cn=Group2,dc=a,dc=b"); when(search.isUserMemberOfGroup("User1", "cn=Group2,dc=a,dc=b")).thenReturn(true); Filter filter = factory.getInstance(conf); filter.apply(search, "User1"); }
@Test public void testAuthenticateWhenUserFilterPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER, "user1,user2"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); when(search.findUserDn("user2")).thenReturn("cn=user2,ou=PowerUsers,dc=mycorp,dc=com"); authenticateUserAndCheckSearchIsClosed("user1"); authenticateUserAndCheckSearchIsClosed("user2"); }
@Test public void testAuthenticateWhenGroupMembershipKeyFilterPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "group1,group2"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); when(search.findUserDn("user2")).thenReturn("cn=user2,ou=PowerUsers,dc=mycorp,dc=com"); when(search.findGroupsForUser("cn=user1,ou=PowerUsers,dc=mycorp,dc=com")) .thenReturn(Arrays.asList( "cn=testGroup,ou=Groups,dc=mycorp,dc=com", "cn=group1,ou=Groups,dc=mycorp,dc=com")); when(search.findGroupsForUser("cn=user2,ou=PowerUsers,dc=mycorp,dc=com")) .thenReturn(Arrays.asList( "cn=testGroup,ou=Groups,dc=mycorp,dc=com", "cn=group2,ou=Groups,dc=mycorp,dc=com")); authenticateUserAndCheckSearchIsClosed("user1"); authenticateUserAndCheckSearchIsClosed("user2"); }
@Test public void testAuthenticateWhenUserMembershipKeyFilter2x2PatternsPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "HIVE-USERS1,HIVE-USERS2"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN, "cn=%s,ou=Groups,ou=branch1,dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN, "cn=%s,ou=Userss,ou=branch1,dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); when(search.findGroupDn("HIVE-USERS1")) .thenReturn("cn=HIVE-USERS1,ou=Groups,ou=branch1,dc=mycorp,dc=com"); when(search.findGroupDn("HIVE-USERS2")) .thenReturn("cn=HIVE-USERS2,ou=Groups,ou=branch1,dc=mycorp,dc=com"); when(search.isUserMemberOfGroup("user1", "cn=HIVE-USERS1,ou=Groups,ou=branch1,dc=mycorp,dc=com")).thenThrow(NamingException.class); when(search.isUserMemberOfGroup("user1", "cn=HIVE-USERS2,ou=Groups,ou=branch1,dc=mycorp,dc=com")).thenReturn(true); auth = new LdapAuthenticationProviderImpl(conf, factory); auth.Authenticate("user1", "Blah"); verify(factory, times(1)).getInstance(isA(HiveConf.class), anyString(), eq("Blah")); verify(search, times(2)).findGroupDn(anyString()); verify(search, times(2)).isUserMemberOfGroup(anyString(), anyString()); verify(search, atLeastOnce()).close(); }
@Test public void testUserMembershipKeyFilterApplyPositiveWithUserDn() throws AuthenticationException, NamingException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "Group1,Group2"); when(search.findGroupDn("Group1")).thenReturn("cn=Group1,dc=a,dc=b"); when(search.findGroupDn("Group2")).thenReturn("cn=Group2,dc=a,dc=b"); when(search.isUserMemberOfGroup("cn=User1,dc=a,dc=b", "cn=Group2,dc=a,dc=b")).thenReturn(true); Filter filter = factory.getInstance(conf); filter.apply(search, "cn=User1,dc=a,dc=b"); }
@Test public void testAuthenticateWhenLoginWithDomainAndUserFilterPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER, "user1"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); authenticateUserAndCheckSearchIsClosed("user1@mydomain.com"); }
@Test public void testAuthenticateWhenCustomQueryFilterPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN, "dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_CUSTOMLDAPQUERY, "(&(objectClass=person)(|(memberOf=CN=Domain Admins,CN=Users,DC=apache,DC=org)(memberOf=CN=Administrators,CN=Builtin,DC=apache,DC=org)))"); when(search.executeCustomQuery(anyString())).thenReturn(Arrays.asList( "cn=user1,ou=PowerUsers,dc=mycorp,dc=com", "cn=user2,ou=PowerUsers,dc=mycorp,dc=com")); authenticateUserAndCheckSearchIsClosed("user1"); }
@Test public void testAuthenticateWhenUserAndGroupMembershipKeyFiltersPass() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "group1,group2"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER, "user1,user2"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); when(search.findUserDn("user2")).thenReturn("cn=user2,ou=PowerUsers,dc=mycorp,dc=com"); when(search.findGroupsForUser("cn=user1,ou=PowerUsers,dc=mycorp,dc=com")) .thenReturn(Arrays.asList( "cn=testGroup,ou=Groups,dc=mycorp,dc=com", "cn=group1,ou=Groups,dc=mycorp,dc=com")); when(search.findGroupsForUser("cn=user2,ou=PowerUsers,dc=mycorp,dc=com")) .thenReturn(Arrays.asList( "cn=testGroup,ou=Groups,dc=mycorp,dc=com", "cn=group2,ou=Groups,dc=mycorp,dc=com")); authenticateUserAndCheckSearchIsClosed("user1"); authenticateUserAndCheckSearchIsClosed("user2"); }
for (String groupId : groupFilter) { try { String groupDn = ldap.findGroupDn(groupId); groupDns.add(groupDn); } catch (NamingException e) { if (ldap.isUserMemberOfGroup(user, groupDn)) { LOG.debug("UserMembershipKeyFilter passes: user '{}' is a member of '{}' group", user, groupDn);