Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HPCC-19884 Allow for HPCC to use other "adminstrators" group #12421

Merged

Conversation

@RussWhitehead
Copy link
Member

commented Apr 5, 2019

For security purposes, HPCC Administrators should not have to be LDAP Administrators.
THis PR allows an "adminGroupName" to be specified in the LDAP configuration, and
ESP is modified to check membership in this group to determine if a user is an
admin.

Signed-off-by: Russ Whitehead william.whitehead@lexisnexisrisk.com

Type of change:

  • This change is a bug fix (non-breaking change which fixes an issue).
  • This change is a new feature (non-breaking change which adds functionality).
  • This change improves the code (refactor or other change that does not change the functionality)
  • This change fixes warnings (the fix does not alter the functionality or the generated code)
  • This change is a breaking change (fix or feature that will cause existing behavior to change).
  • This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • My code follows the code style of this project.
    • My code does not create any new warnings from compiler, build system, or lint.
  • The commit message is properly formatted and free of typos.
    • The commit message title makes sense in a changelog, by itself.
    • The commit is signed.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly, or...
    • I have created a JIRA ticket to update the documentation.
    • Any new interfaces or exported functions are appropriately commented.
  • I have read the CONTRIBUTORS document.
  • The change has been fully tested:
    • I have added tests to cover my changes.
    • All new and existing tests passed.
    • I have checked that this change does not introduce memory leaks.
    • I have used Valgrind or similar tools to check for potential issues.
  • I have given due consideration to all of the following potential concerns:
    • Scalability
    • Performance
    • Security
    • Thread-safety
    • Premature optimization
    • Existing deployed queries will not be broken
    • This change fixes the problem, not just the symptom
    • The target branch of this pull request is appropriate for such a change.
  • There are no similar instances of the same problem that should be addressed
    • I have addressed them here
    • I have raised JIRA issues to address them separately
  • This is a user interface / front-end modification
    • I have tested my changes in multiple modern browsers
    • The component(s) render as expected

Testing:

@hpcc-jirabot

This comment has been minimized.

Copy link

commented Apr 5, 2019

@RussWhitehead

This comment has been minimized.

Copy link
Member Author

commented Apr 5, 2019

@wangkx Please review

Copy link
Member

left a comment

@RussWhitehead 2 comments.

@@ -583,6 +583,7 @@ bool Cws_accessEx::onUserEdit(IEspContext &context, IEspUserEditRequest &req, IE
throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
resp.setUsername(req.getUsername());
resp.setIsLDAPAdmin(ldapsecmgr->isSuperUser(context.queryUser()));

This comment has been minimized.

Copy link
@wangkx

wangkx Apr 5, 2019

Member

You need to get the version of ESP client and set the IsLDAPAdmin if the version >= 1.13.
double version = context.getClientVersion();

if (0 == stricmp(m_ldapconfig->getAdminGroupName(), "Administrators"))
groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
else
groupdn.appendf("cn=%s,%s", m_ldapconfig->getAdminGroupName(), m_ldapconfig->getGroupBasedn());

This comment has been minimized.

Copy link
@wangkx

wangkx Apr 5, 2019

Member

getGroupBasedn() or getBasedn()?

This comment has been minimized.

Copy link
@RussWhitehead

RussWhitehead Apr 5, 2019

Author Member

Administrators is an LDAP system group and is stored in a different location (baseDN) than user groups (GroupsBaseDN)

For security purposes, HPCC Administrators should not have to be LDAP Administrators.
THis PR allows an "adminGroupName" to be specified in the LDAP configuration, and
ESP is modified to check membership in this group to determine if a user is an
admin.

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexisrisk.com>
@RussWhitehead RussWhitehead force-pushed the RussWhitehead:newAdmin72x branch from 0e73629 to 57993f6 Apr 5, 2019
@RussWhitehead

This comment has been minimized.

Copy link
Member Author

commented Apr 5, 2019

@wangkx Please rereview

@wangkx

This comment has been minimized.

Copy link
Member

commented Apr 5, 2019

@RussWhitehead looks fine.

@HPCCSmoketest

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

Automated Smoketest:
OS: centos 7.4.1708 (Linux 3.10.0-327.28.3.el7.x86_64)
Sha: 57993f6
Build: success
Build: success
Install HPCC Platform
HPCC Start: OK

Unit tests result:

Test total passed failed errors timeout elaps
unittest 111 111 0 0 0 34 sec
wutoolTest(Dali) 19 19 0 0 0 1 sec
wutoolTest(Cassandra) 19 19 0 0 0 7 sec

Regression test result:

phase total pass fail elaps
setup (hthor) 11 11 0 27 sec (00:00:27)
setup (thor) 11 11 0 46 sec (00:00:46)
setup (roxie) 11 11 0 21 sec (00:00:21)
test (hthor) 823 823 0 180 sec (00:03:00)
test (thor) 748 748 0 599 sec (00:09:59)
test (roxie) 897 897 0 408 sec (00:06:48)

HPCC Stop: OK
Time stats:

Prep time Build time Package time Install time Start time Test time Stop time Summary
27 sec (00:00:27) 212 sec (00:03:32) 0 sec (00:00:00) 3 sec (00:00:03) 18 sec (00:00:18) 1477 sec (00:24:37) 19 sec (00:00:19) 1756 sec (00:29:16)
@richardkchapman richardkchapman merged commit 9f8a1ad into hpcc-systems:candidate-7.2.x Apr 8, 2019
@RussWhitehead RussWhitehead deleted the RussWhitehead:newAdmin72x branch Apr 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.