[KYUUBI #3020] kyuubi ldap add new config property kyuubi.authentication.ldap.bindpw and kyuubi.authentication.ldap.attrs

[dev-lpq]

Why are the changes needed?

Among the kyuubi ldap configuration parameters, there is currently "kyuubi.authentication.ldap.base.dn=", but there is no place corresponding to the CN password setting. similar to hive
"hive.server2.authentication.ldap.binddn",
"hive.server2.authentication.ldap.bindpw".

How was this patch tested?

• Add some test cases that check the changes thoroughly including negative and positive cases if possible

• Add screenshots for manual tests if appropriate

• Run test locally before make a pull request

[dev-lpq]

1.set kyuubi config

2.connect kyuubi successfully

3.Test LDAP InitialLdapContext failed

4.Test LDAP InitialDirContext failed

[yaooqinn]

LGTM, only minor revisions

[yaooqinn]

btw, #3213 (comment) these UTs can be added to the codebase too?

[dev-lpq]

btw, #3213 (comment) these UTs can be added to the codebase too?
The ldap UTs code will be added.

[dev-lpq]

btw, #3213 (comment) these UTs can be added to the codebase too?
The ldap UTs code will be added.

@yaooqinn Please help check the PR, I have added the LDAP UTs.

[yaooqinn]

cc @turboFei can you check this, since LDAP is adopted in your environment

[turboFei]

BatchRestApiSuite:
- basic batch rest client
- basic batch rest client with invalid user *** FAILED ***
  "org.apache.http.client.HttpResponseException: status code: 403, reason phrase: <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
  <title>Error 403 LDAP InitialLdapContext search results are empty, LDAP user: user.</title>
  </head>
  <body><h2>HTTP ERROR 403 LDAP InitialLdapContext search results are empty, LDAP user: user.</h2>
  <table>
  <tr><th>URI:</th><td>/api/v1/batches/1</td></tr>
  <tr><th>STATUS:</th><td>403</td></tr>
  <tr><th>MESSAGE:</th><td>LDAP InitialLdapContext search results are empty, LDAP user: user.</td></tr>
  <tr><th>SERVLET:</th><td>org.glassfish.jersey.servlet.ServletContainer-7b1d7f74</td></tr>
  </table>
  <hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.48.v20220622</a><hr/>
  
  </body>
  </html>
  " did not contain "Error validating LDAP user: uid=user" (BatchRestApiSuite.scala:75)

could you help fix above UT failure?

[turboFei]

AllKyuubiConfiguration:
- Check all kyuubi configs *** FAILED ***
  java.lang.AssertionError: assertion failed: /home/runner/work/incubator-kyuubi/incubator-kyuubi/docs/deployment/settings.md out of date, please update doc with KYUUBI_UPDATE=1 build/mvn clean install -Pflink-provided,spark-provided,hive-provided -DwildcardSuites=org.apache.kyuubi.config.AllKyuubiConfiguration

KYUUBI_UPDATE=1 build/mvn clean install -Pflink-provided,spark-provided,hive-provided -DwildcardSuites=org.apache.kyuubi.config.AllKyuubiConfiguration

[turboFei]

According to https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/using-das/topics/das-user-authentication-ldap.html

LDAP GUID Key: Specify the LDAP attribute name whose values are unique on this LDAP server. For example: uid or CN.

GUID Key is not used for SECURITY_PRINCIPAL.

[dev-lpq]

BatchRestApiSuite:
- basic batch rest client
- basic batch rest client with invalid user *** FAILED ***
  "org.apache.http.client.HttpResponseException: status code: 403, reason phrase: <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
  <title>Error 403 LDAP InitialLdapContext search results are empty, LDAP user: user.</title>
  </head>
  <body><h2>HTTP ERROR 403 LDAP InitialLdapContext search results are empty, LDAP user: user.</h2>
  <table>
  <tr><th>URI:</th><td>/api/v1/batches/1</td></tr>
  <tr><th>STATUS:</th><td>403</td></tr>
  <tr><th>MESSAGE:</th><td>LDAP InitialLdapContext search results are empty, LDAP user: user.</td></tr>
  <tr><th>SERVLET:</th><td>org.glassfish.jersey.servlet.ServletContainer-7b1d7f74</td></tr>
  </table>
  <hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.48.v20220622</a><hr/>
  
  </body>
  </html>
  " did not contain "Error validating LDAP user: uid=user" (BatchRestApiSuite.scala:75)

could you help fix above UT failure?

fixed

[pan3793]

The change LGTM, please rebase master and resolve conflicts

[turboFei]

seems AUTHENTICATION_LDAP_GUIDKEY is not used now.

Can we remove it? cc @pan3793

[pan3793]

Is it a break change?

[turboFei]

it is a break change, we should keep backward compatibility.

@dev-lpq

could you deprecate AUTHENTICATION_LDAP_GUIDKEY?

If the AUTHENTICATION_LDAP_BINDDN is specified, using it first.

Otherwise, fallback to use original logical to get SECURITY_PRINCIPAL?

[codecov-commenter]

Codecov Report

Merging #3213 (31817cc) into master (a63587b) will increase coverage by 0.26%.
The diff coverage is 97.33%.

@@             Coverage Diff              @@
##             master    #3213      +/-   ##
============================================
+ Coverage     51.06%   51.33%   +0.26%     
  Complexity       13       13              
============================================
  Files           470      468       -2     
  Lines         26224    26205      -19     
  Branches       3626     3631       +5     
============================================
+ Hits          13392    13452      +60     
+ Misses        11556    11465      -91     
- Partials       1276     1288      +12     

Impacted Files	Coverage Δ
...uthentication/LdapAuthenticationProviderImpl.scala	95.38% <96.15%> (+3.38%)	⬆️
...in/scala/org/apache/kyuubi/config/KyuubiConf.scala	97.05% <100.00%> (-0.35%)	⬇️
...ubi/engine/spark/operation/PlanOnlyStatement.scala	62.22% <0.00%> (-4.45%)	⬇️
...rg/apache/kyuubi/ctl/cmd/log/LogBatchCommand.scala	78.00% <0.00%> (-4.00%)	⬇️
...ache/kyuubi/operation/KyuubiOperationManager.scala	80.82% <0.00%> (-1.37%)	⬇️
...he/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala	67.50% <0.00%> (-0.63%)	⬇️
...a/org/apache/kyuubi/service/TFrontendService.scala	91.17% <0.00%> (-0.30%)	⬇️
...c/main/java/org/apache/kyuubi/jdbc/hive/Utils.java	36.78% <0.00%> (-0.11%)	⬇️
.../java/org/apache/kyuubi/jdbc/KyuubiHiveDriver.java	4.87% <0.00%> (ø)
... and 9 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[turboFei]

Now the only remaining comments is #3213 (comment)

how about fallback to get binddn according to guidKey & baseDn just like before if AUTHENTICATION_LDAP_BINDDN is not specified?

Otherwise, the customers that use the old kyuubi version will meet failure after upgrading kyuubi.

@dev-lpq

[turboFei]

thanks for your contribution @dev-lpq , will merge it after UT passed.

[turboFei]

thanks @dev-lpq , merged to master

[turboFei]

could you bind your email(pengqli@cisco.com) to your github account?

FYI: https://github.com/settings/emails

@dev-lpq

[dev-lpq]

could you bind your email(pengqli@cisco.com) to your github account?

FYI: https://github.com/settings/emails

@dev-lpq

@turboFei Added, thanks.

[pan3793]

merged to 1.6 as well

[pan3793]

@dev-lpq @turboFei after a detailed look and comparing to the hive codebase, I think the current implementation is not mature. As 1.6 is going to RC, I prefer to revert this change in branch-1.6 and leave it on master to get more time to improve it.

[pan3793]

During the review period of #3457, I found that some changes in this PR are confusing, I'm going to revert this on master and rework it in #3457

[dev-lpq]

@pan3793 Thanks, what is confusing? I will research the #3457, and submit a version that better matches hive ldap mode.

[pan3793]

The following logic is not correct I think

val mail = if (!hasDomain(user) && domain.nonEmpty) (user + "@" + domain.get) else user
...
nameEnuResults = ctx.search(baseDn, s"(mail=$mail)", sc)

I can not fully understand what's purpose of kyuubi.authentication.ldap.attrs by reading the description "Specifies part of the search as an attribute returned by LDAP. For example: mail,name." and code. BTW, I don't find a similar conf key in Hive.

I don't have much experience w/ LDAP, and I would like to provide similar configurations w/ Hive unless we have strong reasons that we can give a better solution.

[pan3793]

Basically, the principle is to give users the same(or better) configuration keys w/ Hive.

For implementation, unboundid-ldapsdk claims to provide better API than JDK, I think it is valued to have a try, another option is referring to Hive code.

[dev-lpq]

Thank you for your answer, the current way to verify ldap:
1.access to ldap datasource
kyuubi.authentication.ldap.bindpw & kyuubi.authentication.ldap.binddn
2. query target user info
nameEnuResults = ctx.search(baseDn, s"(mail=$mail)", sc)
3. check the account and password according to kyuubi.authentication.ldap.attrs.

I will research unboundid-ldapsdk and hive LDAP , and provide a better solution.

[pan3793]

@dev-lpq, thanks for your passion and patience