Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
METRON-1844: Allow for LDAP to be used for authentication and roles #1246
I went through the defunct Knox SSO feature branch and pulled out the LDAP bits. I made sure @simonellistonball is on the first commit to maintain attribution. When we merge this, we'll need to make sure that's properly maintained.
What this does is setup the set of LDAP configs, while maintaining backwards compatibility with the JDBC stuff by default.
I'd say the main objection I'd expect would be around unit/integration testing. Right now there's not anything in this PR, although we could probably pull in the EmbeddedLDAP from the branch and make sure the role endpoint works with it for integration.
I have run this up on full dev and tested against an actual OpenLDAP instance using https://github.com/osixia/docker-openldap. Instructions will be provided in comment to duplicate this testing.
Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
For all changes:
For code changes:
For documentation related changes:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
To run this up against an OpenLDAP instance, make sure Docker is installed and running, we'll be using https://github.com/osixia/docker-openldap.
There is an LDIF file we'll load into this container at https://gist.github.com/justinleet/b8f0350f27b32d4d705f45b9c1ba8c6e
It'll set up an admin user (admin), a regular user (sam), and a user without a role (tom).
We'll want to save that file somewhere. I'll be using
Run the container.
Run the container with
This does a few things
This will spin up the OpenLDAP instance and let it run.
Ambari LDAP setup
From the command line of the vagrant machine, run
A new tab is added "Security" with the various LDAP related properties.
The other fields are set already set to defaults to match the modified Knox users-ldif provided, so nothing should change.
Additionally, we also need to tell REST we will be using LDAP.
In the REST tab
Restart Metron REST
Go to the Swagger UI. You should meet a login screen. There are 3 users that should work in LDAP
In Swagger, the UserController has another endpoint: "/whoami/roles". Using this endpoint should return the roles for each user
These ROLES can be altered by changing the LDAP groups each user belongs to, e.g. see https://gist.github.com/justinleet/b8f0350f27b32d4d705f45b9c1ba8c6e#file-test-ldif-L95 for how "sam" is added to the "user" group.
This same login should also apply to the Alerts UI and Management UI. Login via JDBC should also not be able to happen (e.g. user/password login should no longer work).
If anyone is brave enough to try, or wants to help me, you can run the container with
This will setup the appropriate SSL port and map it to 33636.
In the Vagrant box, it's necessary to import the appropriate certificates to the truststore to be used. Generally this can be done with
Additionally, in the configs, there are settings for "LDAP Truststore" and "LDAP Truststore Password". These should be set to match the keystore you imported certificates to.
I attempted to pull the certs out of the container itself, as well as to use
in order to get certs. Neither seemed to make SSL happy, I can only assume my sacrificial offerings have been lacking lately.
The log error in Vagrant:
while the container gives:
Given that this is a negotiation failure, rather than an inability to make it to the handshake, I'm kind of inclined to not troubleshoot it too much here.