diff --git service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java index a0cb404..9165227 100644 --- service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java +++ service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java @@ -86,7 +86,7 @@ public void apply(DirSearch ldap, String user) throws AuthenticationException { for (String groupDn : memberOf) { String shortName = LdapUtils.getShortName(groupDn); - if (groupFilter.contains(shortName)) { + if (groupFilter.stream().anyMatch(shortName::equalsIgnoreCase)) { LOG.debug("GroupMembershipKeyFilter passes: user '{}' is a member of '{}' group", user, groupDn); LOG.info("Authentication succeeded based on group membership"); diff --git service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java index 36e58c3..9ea5361 100644 --- service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java +++ service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java @@ -105,6 +105,49 @@ public void testGroupMembershipKeyFilterApplyPositive() filter.apply(search, "user3@mydomain.com"); } + @Test + public void testGroupMembershipKeyCaseInsensitiveFilterApplyPositive() + throws AuthenticationException, NamingException, IOException { + conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "hiveusers,g1"); + + when(search.findUserDn(eq("user1"))) + .thenReturn("cn=user1,ou=People,dc=example,dc=com"); + when(search.findUserDn(eq("cn=user2,dc=example,dc=com"))) + .thenReturn("cn=user2,ou=People,dc=example,dc=com"); + when(search.findUserDn(eq("user3@mydomain.com"))) + .thenReturn("cn=user3,ou=People,dc=example,dc=com"); + + when(search.findGroupsForUser(eq("cn=user1,ou=People,dc=example,dc=com"))) + .thenReturn(Arrays.asList( + "cn=SuperUsers,ou=Groups,dc=example,dc=com", + "cn=Office1,ou=Groups,dc=example,dc=com", + "cn=HiveUsers,ou=Groups,dc=example,dc=com", + "cn=G1,ou=Groups,dc=example,dc=com")); + when(search.findGroupsForUser(eq("cn=user2,ou=People,dc=example,dc=com"))) + .thenReturn(Arrays.asList( + "cn=HiveUsers,ou=Groups,dc=example,dc=com")); + when(search.findGroupsForUser(eq("cn=user3,ou=People,dc=example,dc=com"))) + .thenReturn(Arrays.asList( + "cn=G1,ou=Groups,dc=example,dc=com", + "cn=G2,ou=Groups,dc=example,dc=com")); + + Filter filter = factory.getInstance(conf); + filter.apply(search, "user1"); + filter.apply(search, "cn=user2,dc=example,dc=com"); + filter.apply(search, "user3@mydomain.com"); + } + + @Test(expected = AuthenticationException.class) + public void testGroupMembershipKeyCaseInsensitiveFilterApplyNegative() + throws AuthenticationException, NamingException, IOException { + conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "hiveusers,containsg1"); + + when(search.findGroupsForUser(eq("user1"))).thenReturn(Arrays.asList("SuperUsers", "Office1", "G1", "G2")); + + Filter filter = factory.getInstance(conf); + filter.apply(search, "user1"); + } + @Test(expected = AuthenticationException.class) public void testGroupMembershipKeyFilterApplyNegative() throws AuthenticationException, NamingException, IOException {