Uploaded image for project: 'Kylin'
  1. Kylin
  2. KYLIN-5298

Kylin Ldap not enforcing role Authorities

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • v4.0.2
    • v4.0.2
    • Others, Security
    • None

    Description

      After enabling Ldap with following changes , Kylin is not enforcing pre-defined roles to login to UI with Ldap accounts tested on V4.0.3 and V4.0.2 getting same behavior 

      Here are the properties in kylin.properties 

      kylin.security.profile=ldap
      kylin.security.acl.admin-role=admin_group
      kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
      kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=my_company,DC=com
      kylin.security.ldap.connection-password=Encrypted_password
      kylin.security.ldap.connection-truststore=/cacerts
      # LDAP user account directory;
      kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
      kylin.security.ldap.user-search-pattern=sAMAccountName={0}
      kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
      kylin.security.ldap.user-group-search-filter=(|(sAMAccountName={0})(sAMAccountNameUid={1}))
      # LDAP service account directory
      kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
      kylin.security.ldap.service-search-pattern=sAMAccountName={0}
      kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
       

       

      With above settings when tried to login the UI we are getting below exception with no Authorities 

       

      2022-11-18 11:20:26,119 DEBUG [http-nio-7070-exec-1] security.KylinAuthenticationProvider:126 : Authenticated user UsernamePasswordAuthenticationToken [Principal=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@47a6c9ab: Dn: cn=USER,ou=Employees,ou=People,dc=corp,dc=my_company,dc=com; Username: USER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.XX.XX.XXX, SessionId=null], Granted Authorities=[]] 

      As per documentation the kylin.security.acl.default-role is deprecated. It not enforcing any Kylin Authorities 

      Attachments

        1. image-2022-11-29-16-15-23-628.png
          21 kB
          Rohan Nimmagadda
        2. image-2022-11-24-17-00-31-371.png
          59 kB
          mukvin
        3. image-2022-11-24-15-58-47-523.png
          54 kB
          mukvin
        4. image-2022-11-24-15-57-43-134.png
          107 kB
          mukvin
        5. image-2022-11-24-03-25-42-593.png
          110 kB
          Rohan Nimmagadda
        6. image-2022-11-24-02-19-38-977.png
          135 kB
          Rohan Nimmagadda

        Activity

          People

            Unassigned Unassigned
            Rohannimmagadda Rohan Nimmagadda
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: