From 9bd22369d78fdaae2f246cf755892ff0f6ebde09 Mon Sep 17 00:00:00 2001 From: Parth Panchal <83201188+parthp2107@users.noreply.github.com> Date: Wed, 22 Feb 2023 12:53:24 +0530 Subject: [PATCH] Fixed#10211: Enable LDAP configuration to be configured via environment variable (#10252) * Fixed#10211: Enable LDAP configuration to be configured via environment variable * Fixed#10211: Enable LDAP configuration to be configured via environment variable --- conf/openmetadata.yaml | 25 +++++++ .../content/deployment/security/ldap/index.md | 72 +++++++++++-------- .../security/auth/LdapAuthenticator.java | 7 -- .../openmetadata/service/util/LdapUtil.java | 10 +-- .../configuration/ldapConfiguration.json | 16 +---- .../truststoreConfig.json | 27 +++++++ 6 files changed, 104 insertions(+), 53 deletions(-) create mode 100644 openmetadata-spec/src/main/resources/json/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json diff --git a/conf/openmetadata.yaml b/conf/openmetadata.yaml index 640490e144c..f4e0995c285 100644 --- a/conf/openmetadata.yaml +++ b/conf/openmetadata.yaml @@ -151,6 +151,31 @@ authenticationConfiguration: callbackUrl: ${AUTHENTICATION_CALLBACK_URL:-""} jwtPrincipalClaims: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + ldapConfiguration: + host: ${AUTHENTICATION_LDAP_HOST:-} + port: ${AUTHENTICATION_LDAP_PORT:-} + dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""} + dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""} + userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""} + mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-} + #optional + maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} + sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-} + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} + trustStoreConfig: + customTrustManagerConfig: + trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} + trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} + trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-} + hostNameConfig: + allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} + acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} + jvmDefaultConfig: + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + trustAllConfig: + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} jwtTokenConfiguration: rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"} diff --git a/openmetadata-docs/content/deployment/security/ldap/index.md b/openmetadata-docs/content/deployment/security/ldap/index.md index 042b0033f7c..22fc4809dfc 100644 --- a/openmetadata-docs/content/deployment/security/ldap/index.md +++ b/openmetadata-docs/content/deployment/security/ldap/index.md @@ -23,18 +23,30 @@ authenticationConfiguration: authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false} ldapConfiguration: - "host": ${AUTHENTICATION_LDAP_HOST:-localhost} - "port": ${AUTHENTICATION_LDAP_PORT:-10636} - "dnAdminPrincipal": ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"} - "dnAdminPassword": ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"} - "userBaseDN": ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"} - "mailAttributeName": ${AUTHENTICATION_USER_MAIL_ATTR:-email} + host: ${AUTHENTICATION_LDAP_HOST:-localhost} + port: ${AUTHENTICATION_LDAP_PORT:-10636} + dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"} + dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"} + userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"} + mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-email} # Optional - "maxPoolSize": ${AUTHENTICATION_LDAP_POOL_SIZE:-3} - "sslEnabled": ${AUTHENTICATION_LDAP_SSL_ENABLED:-true} - "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll} - "trustStoreConfig": - "examineValidityDates": ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} + sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true} + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll} + trustStoreConfig: + customTrustManagerConfig: + trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} + trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} + trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-} + hostNameConfig: + allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} + acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} + jvmDefaultConfig: + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + trustAllConfig: + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} ``` For the LDAP auth we need to set: @@ -76,9 +88,10 @@ Based on the different `truststoreConfigType`, we have following different `trus 1. **TrustAll**: Provides an SSL trust manager which will blindly trust any certificate that is presented to it, although it may optionally reject certificates that are expired or not yet valid. It can be convenient for testing purposes, but it is recommended that production environments use trust managers that perform stronger validation. ```yaml - "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} - "trustStoreConfig": - "examineValidityDates": ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} + trustStoreConfig: + trustAllConfig: + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} ``` - `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate. @@ -86,9 +99,10 @@ Based on the different `truststoreConfigType`, we have following different `trus 2. **JVMDefault**: Provides an implementation of a trust manager that relies on the JVM's default set of trusted issuers. ```yaml - "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore} - "trustStoreConfig": - "verifyHostname": ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-JVMDefault} + trustStoreConfig: + jvmDefaultConfig: + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} ``` - `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true. @@ -96,10 +110,11 @@ Based on the different `truststoreConfigType`, we have following different `trus 3. **HostName**: Provides an SSL trust manager that will only accept certificates whose hostname matches an expected value. ```yaml - "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName} - "trustStoreConfig": - "allowWildCards": ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false} - "acceptableHostNames": ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]} + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName} + trustStoreConfig: + hostNameConfig: + allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false} + acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]} ``` - `allowWildCards`: Indicates whether to allow wildcard certificates which contain an asterisk as the first component of a CN subject attribute or dNSName subjectAltName extension. @@ -108,13 +123,14 @@ Based on the different `truststoreConfigType`, we have following different `trus 4. **CustomTrustStore**: Use the custom Truststore by providing the below details in the config. ```yaml - "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore} - "trustStoreConfig": - "trustStoreFilePath": ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks} - "trustStoreFilePassword": ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret} - "trustStoreFileFormat": ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS} - "verifyHostname": ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} - "examineValidityDates": ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore} + trustStoreConfig: + customTrustManagerConfig: + trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks} + trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret} + trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS} + verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true} + examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} ``` - `trustStoreFilePath`: The path to the trust store file to use. It must not be null. diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java index ec4ac601573..59bfeab0a9c 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java @@ -22,10 +22,7 @@ import com.unboundid.ldap.sdk.SearchRequest; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; -import com.unboundid.util.ssl.HostNameSSLSocketVerifier; -import com.unboundid.util.ssl.SSLSocketVerifier; import com.unboundid.util.ssl.SSLUtil; -import com.unboundid.util.ssl.TrustAllSSLSocketVerifier; import freemarker.template.TemplateException; import java.io.IOException; import java.security.GeneralSecurityException; @@ -75,10 +72,6 @@ public class LdapAuthenticator implements AuthenticatorHandler { this.loginConfiguration = config.getLoginSettings(); } - private SSLSocketVerifier hostNameVerifier(boolean verifyHostName) { - return verifyHostName ? new HostNameSSLSocketVerifier(true) : TrustAllSSLSocketVerifier.getInstance(); - } - private LDAPConnectionPool getLdapConnectionPool(LdapConfiguration ldapConfiguration) { try { if (ldapConfiguration.getSslEnabled()) { diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/util/LdapUtil.java b/openmetadata-service/src/main/java/org/openmetadata/service/util/LdapUtil.java index b29056e32fb..66cd3062eb7 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/util/LdapUtil.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/util/LdapUtil.java @@ -26,7 +26,8 @@ public class LdapUtil { switch (configType) { case CUSTOM_TRUST_STORE: CustomTrustManagerConfig customTrustManagerConfig = - JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), CustomTrustManagerConfig.class); + JsonUtils.convertValue( + ldapConfiguration.getTrustStoreConfig().getCustomTrustManagerConfig(), CustomTrustManagerConfig.class); x509TrustManager = new TrustStoreTrustManager( customTrustManagerConfig.getTrustStoreFilePath(), @@ -38,20 +39,21 @@ public class LdapUtil { break; case HOST_NAME: HostNameConfig hostNameConfig = - JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), HostNameConfig.class); + JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig().getHostNameConfig(), HostNameConfig.class); x509TrustManager = new HostNameTrustManager(hostNameConfig.getAllowWildCards(), hostNameConfig.getAcceptableHostNames()); break; case JVM_DEFAULT: JVMDefaultConfig jvmDefaultConfig = - JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), JVMDefaultConfig.class); + JsonUtils.convertValue( + ldapConfiguration.getTrustStoreConfig().getJvmDefaultConfig(), JVMDefaultConfig.class); x509TrustManager = JVMDefaultTrustManager.getInstance(); sslSocketVerifier = hostNameVerifier(jvmDefaultConfig.getVerifyHostname()); connectionOptions.setSSLSocketVerifier(sslSocketVerifier); break; case TRUST_ALL: TrustAllConfig trustAllConfig = - JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), TrustAllConfig.class); + JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig().getTrustAllConfig(), TrustAllConfig.class); x509TrustManager = new TrustAllTrustManager(trustAllConfig.getExamineValidityDates()); break; default: diff --git a/openmetadata-spec/src/main/resources/json/schema/configuration/ldapConfiguration.json b/openmetadata-spec/src/main/resources/json/schema/configuration/ldapConfiguration.json index a60440e4cf6..fa4e596d6d6 100644 --- a/openmetadata-spec/src/main/resources/json/schema/configuration/ldapConfiguration.json +++ b/openmetadata-spec/src/main/resources/json/schema/configuration/ldapConfiguration.json @@ -55,20 +55,8 @@ "enum": ["TrustAll", "JVMDefault", "HostName", "CustomTrustStore"] }, "trustStoreConfig": { - "oneOf": [ - { - "$ref": "./ldapTrustStoreConfig/customTrustManagerConfig.json" - }, - { - "$ref": "./ldapTrustStoreConfig/hostNameConfig.json" - }, - { - "$ref": "./ldapTrustStoreConfig/jvmDefaultConfig.json" - }, - { - "$ref": "./ldapTrustStoreConfig/trustAllConfig.json" - } - ] + "description": "Truststore Configuration", + "$ref": "ldapTrustStoreConfig/truststoreConfig.json" } }, "required": ["host", "port", "dnAdminPrincipal","dnAdminPassword", "userBaseDN", "mailAttributeName"], diff --git a/openmetadata-spec/src/main/resources/json/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json b/openmetadata-spec/src/main/resources/json/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json new file mode 100644 index 00000000000..8653da29c5b --- /dev/null +++ b/openmetadata-spec/src/main/resources/json/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json @@ -0,0 +1,27 @@ +{ + "$id": "https://open-metadata.org/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "TruststoreConfig", + "description": "Truststore Configuration", + "type": "object", + "javaType": "org.openmetadata.schema.auth.ldapTrustStoreConfig.TruststoreConfig", + "properties": { + "customTrustManagerConfig": { + "description": "CustomTrust Configuration", + "$ref": "./customTrustManagerConfig.json" + }, + "hostNameConfig": { + "description": "HostName Configuration", + "$ref": "./hostNameConfig.json" + }, + "jvmDefaultConfig": { + "description": "JVMDefault Configuration", + "$ref": "./jvmDefaultConfig.json" + }, + "trustAllConfig": { + "description": "TrustAll Configuration", + "$ref": "./trustAllConfig.json" + } + }, + "additionalProperties": false +}