Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add operator friendly protections for LDAP group mappings in druid-basic-security extension #13467

Closed
wants to merge 4 commits into from
Closed

Add operator friendly protections for LDAP group mappings in druid-basic-security extension #13467

wants to merge 4 commits into from

Conversation

capistrant
Copy link
Contributor

Fixes #13322

Description

Helps prevent the creation of an invalid LDAP group mapping when using the druid-basic-security extension.

  1. When creating a new mapping, It does a sanity check to make sure it can create an LdapName object using the pattern supplied. The LDAP server should through a naming exception if the pattern is invalid. If this is the case, return 400 to the caller.
  2. Allow the operator to provide a regex for the pattern being created if they want to. If there is no pattern provided, nothing is checked. If a pattern is provided, the user supplied pattern is matched against that regex, and if there is not a match, the request will fail.

Helps behavior if an invalid LDAP group mapping exists in the metastore

  1. When getting roles, if an invalid pattern is discovered, that role is skipped instead of having an exception thrown which breaks the entire authenticator

Release note

For tips about how to write a good release note, see Release notes.

Adds an optional new configuration to druid-basic-security extension for those using LDAP integration.

druid.auth.authorizer.MyBasicLDAPAuthorizer.groupMappingGroupPatternRegex is a pattern that all newly created group mapping patterns must match in order to be created. If the config is not overridden, there is no pattern matching enforced.

Key changed/added classes in this PR
  • RoleProvider
  • LDAPRoleProvider
  • CoordinatorBasicAuthorizerResourceHandler
  • BasicRoleBasedAuthorizer

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@kfaraz kfaraz added the Security label Dec 1, 2022
@github-actions GitHub Actions
Copy link

This pull request has been marked as stale due to 60 days of inactivity.
It will be closed in 4 weeks if no further activity occurs. If you think
that's incorrect or this pull request should instead be reviewed, please simply
write any comment. Even if closed, you can still revive the PR at any time or
discuss it on the dev@druid.apache.org list.
Thank you for your contributions.

@github-actions github-actions bot added the stale label Jan 12, 2024
@github-actions GitHub Actions
Copy link

This pull request/issue has been closed due to lack of activity. If you think that
is incorrect, or the pull request requires review, you can revive the PR at any time.

@github-actions github-actions bot closed this Feb 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Security stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

druid-basic-security - LDAPRoleProvider breaks if groupMapping with invalid groupPattern is created
2 participants
@capistrant @kfaraz