HADOOP-15995. Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping. Contributed by Lukas Majercak.
This commit is contained in:
parent
82b798581d
commit
76efeacd5f
|
@ -149,6 +149,10 @@ public class LdapGroupsMapping
|
||||||
public static final String BIND_PASSWORD_FILE_KEY = BIND_PASSWORD_KEY + ".file";
|
public static final String BIND_PASSWORD_FILE_KEY = BIND_PASSWORD_KEY + ".file";
|
||||||
public static final String BIND_PASSWORD_FILE_DEFAULT = "";
|
public static final String BIND_PASSWORD_FILE_DEFAULT = "";
|
||||||
|
|
||||||
|
public static final String BIND_PASSWORD_ALIAS_KEY =
|
||||||
|
BIND_PASSWORD_KEY + ".alias";
|
||||||
|
public static final String BIND_PASSWORD_ALIAS_DEFAULT = "";
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Base distinguished name to use for searches
|
* Base distinguished name to use for searches
|
||||||
*/
|
*/
|
||||||
|
@ -662,11 +666,18 @@ public class LdapGroupsMapping
|
||||||
}
|
}
|
||||||
|
|
||||||
bindUser = conf.get(BIND_USER_KEY, BIND_USER_DEFAULT);
|
bindUser = conf.get(BIND_USER_KEY, BIND_USER_DEFAULT);
|
||||||
bindPassword = getPassword(conf, BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
|
|
||||||
|
String alias = conf.get(BIND_PASSWORD_ALIAS_KEY,
|
||||||
|
BIND_PASSWORD_ALIAS_DEFAULT);
|
||||||
|
bindPassword = getPasswordFromCredentialProviders(conf, alias, "");
|
||||||
|
if (bindPassword.isEmpty()) {
|
||||||
|
bindPassword = getPassword(conf, BIND_PASSWORD_KEY,
|
||||||
|
BIND_PASSWORD_DEFAULT);
|
||||||
if (bindPassword.isEmpty()) {
|
if (bindPassword.isEmpty()) {
|
||||||
bindPassword = extractPassword(
|
bindPassword = extractPassword(
|
||||||
conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
|
conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
String baseDN = conf.getTrimmed(BASE_DN_KEY, BASE_DN_DEFAULT);
|
String baseDN = conf.getTrimmed(BASE_DN_KEY, BASE_DN_DEFAULT);
|
||||||
|
|
||||||
|
@ -755,10 +766,10 @@ public class LdapGroupsMapping
|
||||||
}
|
}
|
||||||
|
|
||||||
String getPasswordFromCredentialProviders(
|
String getPasswordFromCredentialProviders(
|
||||||
Configuration conf, String alias, String defaultPass) {
|
Configuration config, String alias, String defaultPass) {
|
||||||
String password = defaultPass;
|
String password = defaultPass;
|
||||||
try {
|
try {
|
||||||
char[] passchars = conf.getPasswordFromCredentialProviders(alias);
|
char[] passchars = config.getPasswordFromCredentialProviders(alias);
|
||||||
if (passchars != null) {
|
if (passchars != null) {
|
||||||
password = new String(passchars);
|
password = new String(passchars);
|
||||||
}
|
}
|
||||||
|
|
|
@ -370,6 +370,16 @@
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>hadoop.security.group.mapping.ldap.bind.password.alias</name>
|
||||||
|
<value></value>
|
||||||
|
<description>
|
||||||
|
The alias of the bind user to be used to get the password from credential
|
||||||
|
providers. If the alias is empty, property
|
||||||
|
hadoop.security.group.mapping.ldap.bind.password is used instead.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>hadoop.security.group.mapping.ldap.bind.password.file</name>
|
<name>hadoop.security.group.mapping.ldap.bind.password.file</name>
|
||||||
<value></value>
|
<value></value>
|
||||||
|
|
|
@ -307,6 +307,46 @@ public class TestLdapGroupsMapping extends TestLdapGroupsMappingBase {
|
||||||
Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
|
Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testConfGetPasswordUsingAlias() throws Exception {
|
||||||
|
File testDir = GenericTestUtils.getTestDir();
|
||||||
|
Configuration conf = getBaseConf();
|
||||||
|
final Path jksPath = new Path(testDir.toString(), "test.jks");
|
||||||
|
final String ourUrl =
|
||||||
|
JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();
|
||||||
|
|
||||||
|
File file = new File(testDir, "test.jks");
|
||||||
|
file.delete();
|
||||||
|
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
|
||||||
|
|
||||||
|
// Set alias
|
||||||
|
String bindpassAlias = "bindpassAlias";
|
||||||
|
conf.set(LdapGroupsMapping.BIND_PASSWORD_ALIAS_KEY, bindpassAlias);
|
||||||
|
|
||||||
|
CredentialProvider provider =
|
||||||
|
CredentialProviderFactory.getProviders(conf).get(0);
|
||||||
|
char[] bindpass = "bindpass".toCharArray();
|
||||||
|
|
||||||
|
// Ensure that we get null when the key isn't there
|
||||||
|
assertNull(provider.getCredentialEntry(bindpassAlias));
|
||||||
|
|
||||||
|
// Create credential for the alias
|
||||||
|
provider.createCredentialEntry(bindpassAlias, bindpass);
|
||||||
|
provider.flush();
|
||||||
|
|
||||||
|
// Make sure we get back the right key
|
||||||
|
assertArrayEquals(bindpass, provider.getCredentialEntry(
|
||||||
|
bindpassAlias).getCredential());
|
||||||
|
|
||||||
|
LdapGroupsMapping mapping = new LdapGroupsMapping();
|
||||||
|
Assert.assertEquals("bindpass",
|
||||||
|
mapping.getPasswordFromCredentialProviders(conf, bindpassAlias, ""));
|
||||||
|
|
||||||
|
// Empty for an invalid alias
|
||||||
|
Assert.assertEquals("", mapping.getPasswordFromCredentialProviders(
|
||||||
|
conf, "invalid-alias", ""));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Test that if the {@link LdapGroupsMapping#CONNECTION_TIMEOUT} is set in the
|
* Test that if the {@link LdapGroupsMapping#CONNECTION_TIMEOUT} is set in the
|
||||||
* configuration, the LdapGroupsMapping connection will timeout by this value
|
* configuration, the LdapGroupsMapping connection will timeout by this value
|
||||||
|
|
Loading…
Reference in New Issue