yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-10-19 12:50:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Ldap Username issue (#17485)

Browse Source
This commit is contained in:
Mohit Yadav 2024-08-19 16:02:54 +05:30 committed by GitHub
parent b175e40e99
commit 2b915a53e9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java
View File

@ -33,7 +33,13 @@ import freemarker.template.TemplateException;
import java.io.IOException; import java.io.IOException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.time.Instant; import java.time.Instant;
import java.util.*; import java.util.ArrayList;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.function.Function; import java.util.function.Function;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.ws.rs.BadRequestException; import javax.ws.rs.BadRequestException;
@ -136,9 +142,7 @@ public class LdapAuthenticator implements AuthenticatorHandler {
checkIfLoginBlocked(loginRequest.getEmail()); checkIfLoginBlocked(loginRequest.getEmail());
User storedUser = lookUserInProvider(loginRequest.getEmail()); User storedUser = lookUserInProvider(loginRequest.getEmail());
validatePassword(storedUser.getEmail(), storedUser, loginRequest.getPassword()); validatePassword(storedUser.getEmail(), storedUser, loginRequest.getPassword());
User omUser = User omUser = checkAndCreateUser(storedUser.getEmail(), storedUser.getName());
checkAndCreateUser(
storedUser.getEmail(), storedUser.getFullyQualifiedName(), storedUser.getName());
return getJwtResponse(omUser, SecurityUtil.getLoginConfiguration().getJwtTokenExpiryTime()); return getJwtResponse(omUser, SecurityUtil.getLoginConfiguration().getJwtTokenExpiryTime());
} }
@ -147,25 +151,24 @@ public class LdapAuthenticator implements AuthenticatorHandler {
* group else, create a new user and assign roles according to it's ldap group * group else, create a new user and assign roles according to it's ldap group
* *
* @param email email address of user * @param email email address of user
* @param userName userName of user * @param name userName of user
* @param userDn the dn of user from ldap
* @return user info * @return user info
* @author Eric Wen@2023-07-16 17:06:43 * @author Eric Wen@2023-07-16 17:06:43
*/ */
private User checkAndCreateUser(String email, String userName, String userDn) throws IOException { private User checkAndCreateUser(String email, String name) throws IOException {
// Check if the user exists in OM Database // Check if the user exists in OM Database
try { try {
User omUser = User omUser =
userRepository.getByName(null, userName, userRepository.getFields("id,name,email,roles")); userRepository.getByName(null, name, userRepository.getFields("id,name,email,roles"));
getRoleForLdap(omUser, userDn, Boolean.TRUE); getRoleForLdap(omUser, Boolean.TRUE);
return omUser; return omUser;
} catch (EntityNotFoundException ex) { } catch (EntityNotFoundException ex) {
// User does not exist // User does not exist
return userRepository.create(null, getUserForLdap(email, userName, userDn)); return userRepository.create(null, getUserForLdap(email, name));
} catch (LDAPException e) { } catch (LDAPException e) {
LOG.error( LOG.error(
"An error occurs when reassigning roles for an LDAP user({}): {}", "An error occurs when reassigning roles for an LDAP user({}): {}",
userName, name,
e.getMessage(), e.getMessage(),
e); e);
throw new UnhandledServerException(e.getMessage()); throw new UnhandledServerException(e.getMessage());
@ -243,7 +246,7 @@ public class LdapAuthenticator implements AuthenticatorHandler {
searchResultEntry.getAttribute(ldapConfiguration.getMailAttributeName()); searchResultEntry.getAttribute(ldapConfiguration.getMailAttributeName());
if (!CommonUtil.nullOrEmpty(userDN) && emailAttr != null) { if (!CommonUtil.nullOrEmpty(userDN) && emailAttr != null) {
return getUserForLdap(email).withName(userDN); return getUserForLdap(email).withName(userDN.toLowerCase());
} else { } else {
throw new CustomExceptionMessage(FORBIDDEN, INVALID_USER_OR_PASSWORD, LDAP_MISSING_ATTR); throw new CustomExceptionMessage(FORBIDDEN, INVALID_USER_OR_PASSWORD, LDAP_MISSING_ATTR);
} }
@ -267,14 +270,14 @@ public class LdapAuthenticator implements AuthenticatorHandler {
.withAuthenticationMechanism(null); .withAuthenticationMechanism(null);
} }
private User getUserForLdap(String email, String userName, String userDn) { private User getUserForLdap(String email, String userName) {
User user = User user =
UserUtil.getUser( UserUtil.getUser(
userName, new CreateUser().withName(userName).withEmail(email).withIsBot(false)) userName, new CreateUser().withName(userName).withEmail(email).withIsBot(false))
.withIsEmailVerified(false) .withIsEmailVerified(false)
.withAuthenticationMechanism(null); .withAuthenticationMechanism(null);
try { try {
getRoleForLdap(user, userDn, false); getRoleForLdap(user, false);
} catch (LDAPException | JsonProcessingException e) { } catch (LDAPException | JsonProcessingException e) {
LOG.error( LOG.error(
"Failed to assign roles from LDAP to OpenMetadata for the user {} due to {}", "Failed to assign roles from LDAP to OpenMetadata for the user {} due to {}",
@ -288,11 +291,10 @@ public class LdapAuthenticator implements AuthenticatorHandler {
* Getting user's roles according to the mapping between ldap groups and roles * Getting user's roles according to the mapping between ldap groups and roles
* *
* @param user user object * @param user user object
* @param userDn the dn of user from ldap
* @param reAssign flag to decide whether to reassign roles * @param reAssign flag to decide whether to reassign roles
* @author Eric Wen@2023-07-16 17:23:57 * @author Eric Wen@2023-07-16 17:23:57
*/ */
private void getRoleForLdap(User user, String userDn, Boolean reAssign) private void getRoleForLdap(User user, Boolean reAssign)
throws LDAPException, JsonProcessingException { throws LDAPException, JsonProcessingException {
// Get user's groups from LDAP server using the DN of the user // Get user's groups from LDAP server using the DN of the user
try { try {
@ -301,7 +303,8 @@ public class LdapAuthenticator implements AuthenticatorHandler {
ldapConfiguration.getGroupAttributeName(), ldapConfiguration.getGroupAttributeName(),
ldapConfiguration.getGroupAttributeValue()); ldapConfiguration.getGroupAttributeValue());
Filter groupMemberAttr = Filter groupMemberAttr =
Filter.createEqualityFilter(ldapConfiguration.getGroupMemberAttributeName(), userDn); Filter.createEqualityFilter(
ldapConfiguration.getGroupMemberAttributeName(), user.getName());
Filter groupAndMemberFilter = Filter.createANDFilter(groupFilter, groupMemberAttr); Filter groupAndMemberFilter = Filter.createANDFilter(groupFilter, groupMemberAttr);
SearchRequest searchRequest = SearchRequest searchRequest =
new SearchRequest( new SearchRequest(
@ -372,7 +375,7 @@ public class LdapAuthenticator implements AuthenticatorHandler {
} catch (Exception ex) { } catch (Exception ex) {
LOG.warn( LOG.warn(
"Failed to get user's groups from LDAP server using the DN of the user {} due to {}", "Failed to get user's groups from LDAP server using the DN of the user {} due to {}",
userDn, user.getName(),
ex.getMessage()); ex.getMessage());
} }
} }