private DirSearch createDirSearch(String user, String password) throws AuthenticationException { if (StringUtils.isBlank(user)) { throw new AuthenticationException("Error validating LDAP user:" + " a null or blank user name has been provided"); } if (StringUtils.isBlank(password) || password.getBytes()[0] == 0) { throw new AuthenticationException("Error validating LDAP user:" + " a null or blank password has been provided"); } List<String> principals = LdapUtils.createCandidatePrincipals(conf, user); for (Iterator<String> iterator = principals.iterator(); iterator.hasNext();) { String principal = iterator.next(); try { return searchFactory.getInstance(conf, principal, password); } catch (AuthenticationException ex) { if (!iterator.hasNext()) { throw ex; } } } throw new AuthenticationException( String.format("No candidate principals for %s was found.", user)); }
@Test public void testAuthenticateNoUserOrGroupFilter() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN, "cn=%s,ou=Users,dc=mycorp,dc=com:cn=%s,ou=PowerUsers,dc=mycorp,dc=com"); DirSearchFactory factory = mock(DirSearchFactory.class); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); when(factory.getInstance(conf, "cn=user1,ou=PowerUsers,dc=mycorp,dc=com", "Blah")).thenReturn(search); when(factory.getInstance(conf, "cn=user1,ou=Users,dc=mycorp,dc=com", "Blah")).thenThrow(AuthenticationException.class); auth = new LdapAuthenticationProviderImpl(conf, factory); auth.Authenticate("user1", "Blah"); verify(factory, times(2)).getInstance(isA(HiveConf.class), anyString(), eq("Blah")); verify(search, atLeastOnce()).close(); }
@Before public void setup() throws AuthenticationException { conf = new HiveConf(); conf.set("hive.root.logger", "DEBUG,console"); conf.set("hive.server2.authentication.ldap.url", "localhost"); when(factory.getInstance(any(HiveConf.class), anyString(), anyString())).thenReturn(search); }
@Test public void testAuthenticateWhenUserMembershipKeyFilterPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "HIVE-USERS"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN, "dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); String groupDn = "cn=HIVE-USERS,ou=Groups,dc=mycorp,dc=com"; when(search.findGroupDn("HIVE-USERS")).thenReturn(groupDn); when(search.isUserMemberOfGroup("user1", groupDn)).thenReturn(true); auth = new LdapAuthenticationProviderImpl(conf, factory); auth.Authenticate("user1", "Blah"); verify(factory, times(1)).getInstance(isA(HiveConf.class), anyString(), eq("Blah")); verify(search, times(1)).findGroupDn(anyString()); verify(search, times(1)).isUserMemberOfGroup(anyString(), anyString()); verify(search, atLeastOnce()).close(); }
@Test public void testAuthenticateWhenUserMembershipKeyFilter2x2PatternsPasses() throws NamingException, AuthenticationException, IOException { conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "HIVE-USERS1,HIVE-USERS2"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN, "cn=%s,ou=Groups,ou=branch1,dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN, "cn=%s,ou=Userss,ou=branch1,dc=mycorp,dc=com"); conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY, "memberOf"); when(search.findUserDn("user1")).thenReturn("cn=user1,ou=PowerUsers,dc=mycorp,dc=com"); when(search.findGroupDn("HIVE-USERS1")) .thenReturn("cn=HIVE-USERS1,ou=Groups,ou=branch1,dc=mycorp,dc=com"); when(search.findGroupDn("HIVE-USERS2")) .thenReturn("cn=HIVE-USERS2,ou=Groups,ou=branch1,dc=mycorp,dc=com"); when(search.isUserMemberOfGroup("user1", "cn=HIVE-USERS1,ou=Groups,ou=branch1,dc=mycorp,dc=com")).thenThrow(NamingException.class); when(search.isUserMemberOfGroup("user1", "cn=HIVE-USERS2,ou=Groups,ou=branch1,dc=mycorp,dc=com")).thenReturn(true); auth = new LdapAuthenticationProviderImpl(conf, factory); auth.Authenticate("user1", "Blah"); verify(factory, times(1)).getInstance(isA(HiveConf.class), anyString(), eq("Blah")); verify(search, times(2)).findGroupDn(anyString()); verify(search, times(2)).isUserMemberOfGroup(anyString(), anyString()); verify(search, atLeastOnce()).close(); }
private DirSearch createDirSearch(String user, String password) throws AuthenticationException { if (StringUtils.isBlank(user)) { throw new AuthenticationException("Error validating LDAP user:" + " a null or blank user name has been provided"); } if (StringUtils.isBlank(password) || password.getBytes()[0] == 0) { throw new AuthenticationException("Error validating LDAP user:" + " a null or blank password has been provided"); } List<String> principals = LdapUtils.createCandidatePrincipals(conf, user); for (Iterator<String> iterator = principals.iterator(); iterator.hasNext();) { String principal = iterator.next(); try { return searchFactory.getInstance(conf, principal, password); } catch (AuthenticationException ex) { if (!iterator.hasNext()) { throw ex; } } } throw new AuthenticationException( String.format("No candidate principals for %s was found.", user)); }