Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-18938

NPE when authenticating via a Centrify LDAP proxy

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.4.0
    • 2.5.0, 2.4.3
    • ambari-server

    Description

      When authenticating using LDAP where the LDAP server is a Centrify LDAP proxy, a NullPointerException is being thrown due to unexpected missing LDAP user object attributes.

      10 Nov 2016 08:23:38,789 ERROR [ambari-client-thread-25] AmbariLdapBindAuthenticator:95 - Caught exception
      java.lang.NullPointerException
      	at org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator.authenticate(AmbariLdapBindAuthenticator.java:83)
      	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178)
      	at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
      	at org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider.authenticate(AmbariLdapAuthenticationProvider.java:73)
      	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
      	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
      	at org.apache.ambari.server.security.authentication.AmbariAuthenticationFilter.doFilter(AmbariAuthenticationFilter.java:88)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.apache.ambari.server.security.authorization.AmbariUserAuthorizationFilter.doFilter(AmbariUserAuthorizationFilter.java:91)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
      	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
      	at org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
      	at org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
      	at org.apache.ambari.server.security.AbstractSecurityHeaderFilter.doFilter(AbstractSecurityHeaderFilter.java:109)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
      	at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
      	at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:294)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:212)
      	at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:201)
      	at org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:139)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
      	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
      	at java.lang.Thread.run(Thread.java:745)
      

      Cause
      The cause for this NPE is related to missing data from the attribute search request made to a Centrify LDAP proxy after a bind has occurred. Since the query filter at this point is "{(objectClass=*}}", the Centrify LDAP proxy does not have enough data to determine what information to return to the caller. However, the filter was something like "{(objectClass=posixAccount}}", it will be able to build a set of attributes to return to the caller since it would determine that the call wants data for a specific profile.

      This can be seen by the following tcpdump entry:

      LDAPMessage searchRequest(2) "uid=user1,ou=people,ou=dev,dc=apache,dc=org" baseObject
          messageID: 2
          protocolOp: searchRequest (3)
              searchRequest
                  baseObject: uid=user1,ou=people,ou=dev,dc=apache,dc=org
                  scope: baseObject (0)
                  derefAliases: derefAlways (3)
                  sizeLimit: 0
                  timeLimit: 0
                  typesOnly: False
                  Filter: (objectClass=*)
                  attributes: 0 items
          [Response In: 2]
          controls: 1 item
      

      Note the filter line above: Filter: (objectClass=)*

      From the Centrify LDAP proxy logs, the following lines can be seen showing that no mapping is avaialbe:

      Nov  8 12:13:45 host1 slapd: cdc search start with filterstr: (objectClass=*)
      Nov  8 12:13:45 host1 slapd: cdc search: objectType =  ( is mapped to NONE)
      Nov  8 12:13:45 host1 slapd: cdc search after translation filter = (objectClass=*)
      

      This search filter is hardcoded in com.sun.jndi.ldap.LdapCtx as seen in http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/com/sun/jndi/ldap/LdapCtx.java#1308.

      This code is invoked from the Spring LDAP library after attempting to authenticate using the Spring org.springframework.security.ldap.authentication.BindAuthenticator class.

      Solution
      To solve this, Ambari should avoid using org.springframework.security.ldap.authentication.BindAuthenticator to authenticate users via LDAP so that more control can be had over when and how user attributes are obtained.

      Attachments

        1. AMBARI-18938_trunk_01.patch
          31 kB
          Robert Levas
        2. AMBARI-18938_branch-2.5_01.patch
          31 kB
          Robert Levas

        Issue Links

          Activity

            hadoopqa Hadoop QA added a comment -

            -1 overall. Here are the results of testing the latest attachment
            http://issues.apache.org/jira/secure/attachment/12839859/AMBARI-18938_trunk_01.patch
            against trunk revision .

            +1 @author. The patch does not contain any @author tags.

            +1 tests included. The patch appears to include 1 new or modified test files.

            +1 javac. The applied patch does not increase the total number of javac compiler warnings.

            +1 release audit. The applied patch does not increase the total number of release audit warnings.

            -1 core tests. The patch failed these unit tests in ambari-server:

            org.apache.ambari.server.state.ServicePropertiesTest

            Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/9344//testReport/
            Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/9344//console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12839859/AMBARI-18938_trunk_01.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in ambari-server: org.apache.ambari.server.state.ServicePropertiesTest Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/9344//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/9344//console This message is automatically generated.
            rlevas Robert Levas added a comment -

            Committed to trunk

            HW10868:ambari-server rlevas$ git show
            commit e73e783a8b5377b809a829c362900d3cad15d69f
            Author: Robert Levas <rlevas@hortonworks.com>
            Date:   Tue Nov 22 15:28:12 2016 -0500
            

            Committed to branch-2.5

            commit 809d4c4f0a1de4100f2d33ef6a0df2d366b6ae2e
            Author: Robert Levas <rlevas@hortonworks.com>
            Date:   Tue Nov 22 15:57:34 2016 -0500
            
            rlevas Robert Levas added a comment - Committed to trunk HW10868:ambari-server rlevas$ git show commit e73e783a8b5377b809a829c362900d3cad15d69f Author: Robert Levas <rlevas@hortonworks.com> Date: Tue Nov 22 15:28:12 2016 -0500 Committed to branch-2.5 commit 809d4c4f0a1de4100f2d33ef6a0df2d366b6ae2e Author: Robert Levas <rlevas@hortonworks.com> Date: Tue Nov 22 15:57:34 2016 -0500
            hudson Hudson added a comment -

            FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #6069 (See https://builds.apache.org/job/Ambari-trunk-Commit/6069/)
            AMBARI-18938. NPE when authenticating via a Centrify LDAP proxy (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e73e783a8b5377b809a829c362900d3cad15d69f)

            • (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
            • (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
            • (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
            hudson Hudson added a comment - FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #6069 (See https://builds.apache.org/job/Ambari-trunk-Commit/6069/ ) AMBARI-18938 . NPE when authenticating via a Centrify LDAP proxy (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e73e783a8b5377b809a829c362900d3cad15d69f ) (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
            hudson Hudson added a comment -

            FAILURE: Integrated in Jenkins build Ambari-branch-2.5 #379 (See https://builds.apache.org/job/Ambari-branch-2.5/379/)
            AMBARI-18938. NPE when authenticating via a Centrify LDAP proxy (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=809d4c4f0a1de4100f2d33ef6a0df2d366b6ae2e)

            • (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
            • (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
            • (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
            hudson Hudson added a comment - FAILURE: Integrated in Jenkins build Ambari-branch-2.5 #379 (See https://builds.apache.org/job/Ambari-branch-2.5/379/ ) AMBARI-18938 . NPE when authenticating via a Centrify LDAP proxy (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=809d4c4f0a1de4100f2d33ef6a0df2d366b6ae2e ) (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
            rlevas Robert Levas added a comment -

            Reopening to commit to branch-2.4.

            rlevas Robert Levas added a comment - Reopening to commit to branch-2.4.
            rlevas Robert Levas added a comment -

            Committed to branch-2.4

            commit f4d7a3fdbf26ef1900647a31121f2b7ceb5b1a2b
            Author: Robert Levas <rlevas@hortonworks.com>
            Date:   Tue Apr 18 13:34:17 2017 -0400
            
            rlevas Robert Levas added a comment - Committed to branch-2.4 commit f4d7a3fdbf26ef1900647a31121f2b7ceb5b1a2b Author: Robert Levas <rlevas@hortonworks.com> Date: Tue Apr 18 13:34:17 2017 -0400

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: