From cb81ee4154e9b60c893e2c69250b8401189fb386 Mon Sep 17 00:00:00 2001
From: "peng.jianhua" <peng.jianhua@zte.com.cn>
Date: Mon, 6 Nov 2017 18:54:11 +0800
Subject: [PATCH 1/1] KYLIN-2960: Submit a new feature that it supports the
 authentication for user and his roles and his groups.

---
 .../kylin/rest/security/AuthoritiesPopulator.java  |  1 +
 .../rest/security/LDAPAuthoritiesPopulator.java    | 77 ++++++++++++++++++++++
 server/src/main/resources/kylinSecurity.xml        |  6 +-
 3 files changed, 81 insertions(+), 3 deletions(-)
 create mode 100644 server-base/src/main/java/org/apache/kylin/rest/security/LDAPAuthoritiesPopulator.java

diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
index 2b9d8c9..977030f 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
@@ -30,6 +30,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 
 /**
+ * @deprecated
  * @author xduo
  * 
  */
diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/LDAPAuthoritiesPopulator.java b/server-base/src/main/java/org/apache/kylin/rest/security/LDAPAuthoritiesPopulator.java
new file mode 100644
index 0000000..7671280
--- /dev/null
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/LDAPAuthoritiesPopulator.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+package org.apache.kylin.rest.security;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.kylin.rest.constant.Constant;
+import org.springframework.ldap.core.ContextSource;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
+
+import com.google.common.collect.Sets;
+
+public class LDAPAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
+
+    SimpleGrantedAuthority adminRoleAsAuthority;
+
+    SimpleGrantedAuthority adminAuthority = new SimpleGrantedAuthority(Constant.ROLE_ADMIN);
+    SimpleGrantedAuthority modelerAuthority = new SimpleGrantedAuthority(Constant.ROLE_MODELER);
+    SimpleGrantedAuthority analystAuthority = new SimpleGrantedAuthority(Constant.ROLE_ANALYST);
+
+    Set<GrantedAuthority> defaultAuthorities = new HashSet<GrantedAuthority>();
+
+    public LDAPAuthoritiesPopulator(ContextSource contextSource, String groupSearchBase, String adminRole,
+            String defaultRole) {
+        super(contextSource, groupSearchBase);
+        this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole);
+        
+        setGroupSearchFilter("(|(member={0})(memberUid={1}))");
+        setConvertToUpperCase(false);
+        setRolePrefix("");
+
+        String[] defaultRoles = StringUtils.split(defaultRole, ",");
+        if (ArrayUtils.contains(defaultRoles, Constant.ROLE_MODELER)) {
+            this.defaultAuthorities.add(modelerAuthority);
+            this.defaultAuthorities.add(analystAuthority);
+        }
+
+        if (ArrayUtils.contains(defaultRoles, Constant.ROLE_ANALYST))
+            this.defaultAuthorities.add(analystAuthority);
+    }
+
+    @Override
+    public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
+        Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
+        Set<GrantedAuthority> userAuthorities = Sets.newHashSet(authorities);
+        userAuthorities.addAll(defaultAuthorities);
+
+        if (authorities.contains(adminRoleAsAuthority)) {
+            userAuthorities.add(adminAuthority);
+            userAuthorities.add(modelerAuthority);
+            userAuthorities.add(analystAuthority);
+        }
+
+        return userAuthorities;
+    }
+}
\ No newline at end of file
diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml
index ca49255..4837cc6 100644
--- a/server/src/main/resources/kylinSecurity.xml
+++ b/server/src/main/resources/kylinSecurity.xml
@@ -97,7 +97,7 @@
                         </bean>
                     </constructor-arg>
                     <constructor-arg>
-                        <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator">
+                        <bean class="org.apache.kylin.rest.security.LDAPAuthoritiesPopulator">
                             <constructor-arg index="0" ref="ldapSource"/>
                             <constructor-arg index="1"
                                              value="${kylin.security.ldap.user-group-search-base}"/>
@@ -130,7 +130,7 @@
                         </bean>
                     </constructor-arg>
                     <constructor-arg>
-                        <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator">
+                        <bean class="org.apache.kylin.rest.security.LDAPAuthoritiesPopulator">
                             <constructor-arg index="0" ref="ldapSource"/>
                             <constructor-arg index="1"
                                              value="${kylin.security.ldap.service-group-search-base}"/>
@@ -419,7 +419,7 @@
         </bean>
 
         <bean id="ldapUserAuthoritiesPopulator"
-              class="org.apache.kylin.rest.security.AuthoritiesPopulator">
+              class="org.apache.kylin.rest.security.LDAPAuthoritiesPopulator">
             <constructor-arg index="0" ref="ldapSource"/>
             <constructor-arg index="1" value="${kylin.security.ldap.user-group-search-base}"/>
             <constructor-arg index="2" value="${kylin.security.acl.admin-role}"/>
-- 
2.7.2.windows.1