Details
Description
Steps to reproduce:
- setup kylin with SAML as described in http://kylin.apache.org/docs/howto/howto_ldap_and_sso.html. kylin.properties:
kylin.security.profile=saml kylin.security.acl.admin-role=Kylin_Admins kylin.security.ldap.connection-server=ldap://openldap:389 kylin.security.ldap.connection-username=cn=admin,dc=example,dc=org # set kylin.security.ldap.connection-password appropriately kylin.security.ldap.user-search-base=ou=people,dc=example,dc=org kylin.security.ldap.user-search-pattern=(uid={0}) kylin.security.ldap.user-group-search-base=ou=groups,dc=example,dc=org kylin.security.saml.context-context-path=/kylin kylin.security.saml.context-scheme=https kylin.security.saml.context-server-name=kylin.validdomain.com kylin.security.saml.context-server-port=443 kylin.security.saml.metadata-entity-base-url=https://kylin.validdomain.com/kylin
- on the LDAP server, make sure you have the following objects in place:
# example.user, people, example.org dn: uid=example.user,ou=people,dc=example,dc=org objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount gidNumber: 10000 uidNumber: 5000 cn: Does not matter homeDirectory: /home/doesntmatter uid: example.user
# Kylin_Users, groups, example.org dn: cn=Kylin_Users,ou=groups,dc=example,dc=org objectClass: top objectClass: groupOfNames cn: Kylin_Users member: uid=example.user,ou=people,dc=example,dc=org
- as an ADMIN, create a sample project in kylin and grant QUERY, MANAGEMENT or OPERATION access to example.user.
- now, try logging into kylin.validdomain.com's Web UI as example.user@validdomain.com.
Expected result:
- example.user is logged in, able to select the project from the dropdown box at the top left corner and navigate through its properties.
Actual result:
- example.user is logged in, but no projects are listed in the dropdown box. As if he/she had no permissions in any project.
With LDAP-pure installations (no SAML), this configuration works as expected.
Worth noting: https://github.com/apache/kylin/blob/kylin-3.0.1/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java#L40-L54 splits the user in the '@' char for performing LDAP lookups. However, by editing kylin_metadata manually and appending the @validdomain.com to the corresponding object under /acls, the lookup works as it should and the non-admin user gets to access the sample project.