Etusivu Tutki Apua
Kirjaudu sisään
RONCC
/
Big-Data-HPC-Platform
Tarkkaile 1
Äänestä 0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Selaa lähdekoodia

HPCC-19884 Allow for HPCC to use other "adminstrators" group

For security purposes, HPCC Administrators should not have to be LDAP Administrators.
THis PR allows an "adminGroupName" to be specified in the LDAP configuration, and
ESP is modified to check membership in this group to determine if a user is an
admin.

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexisrisk.com>
Russ Whitehead 6 vuotta sitten
vanhempi
134c69d613
commit
57993f615f
4 muutettua tiedostoa jossa 31 lisäystä ja 8 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 2 1
      esp/scm/ws_access.ecm
  2. 3 0
      esp/services/ws_access/ws_accessService.cpp
  3. 7 0
      initfiles/componentfiles/configxml/ldapserver.xsd
  4. 19 7
      system/security/LdapSecurity/ldapconnection.cpp

+ 2 - 1
esp/scm/ws_access.ecm
Näytä tiedosto 

@@ -128,6 +128,7 @@ ESPrequest UserEditRequest
 
 ESPresponse UserEditResponse
 
 {
 
     string username;
 
+    [min_ver("1.13")] bool isLDAPAdmin;
 
     ESParray<ESPstruct GroupInfo, Group> Groups;
 
 };
 
 
@@ -977,7 +978,7 @@ ESPresponse [nil_remove] UserAccountExportResponse
 
     [http_content("application/octet-stream")] binary Result;
 
 };
 
 
-ESPservice [version("1.12"), auth_feature("NONE"), exceptions_inline("./smc_xslt/exceptions.xslt")] ws_access
 
+ESPservice [version("1.13"), auth_feature("NONE"), exceptions_inline("./smc_xslt/exceptions.xslt")] ws_access
 
 {
 
     ESPmethod [client_xslt("/esp/xslt/access_users.xslt")] Users(UserRequest, UserResponse);
 
     ESPmethod [client_xslt("/esp/xslt/access_useredit.xslt")] UserEdit(UserEditRequest, UserEditResponse);

+ 3 - 0
esp/services/ws_access/ws_accessService.cpp
Näytä tiedosto 

@@ -583,6 +583,9 @@ bool Cws_accessEx::onUserEdit(IEspContext &context, IEspUserEditRequest &req, IE
 
             throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
 
         CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
 
         resp.setUsername(req.getUsername());
 
+        double version = context.getClientVersion();
 
+        if (version >= 1.13)
 
+            resp.setIsLDAPAdmin(ldapsecmgr->isSuperUser(context.queryUser()));
 
 
         StringArray groupnames;
 
         ldapsecmgr->getGroups(req.getUsername(), groupnames);

+ 7 - 0
initfiles/componentfiles/configxml/ldapserver.xsd
Näytä tiedosto 

@@ -146,6 +146,13 @@
 
                     </xs:appinfo>
 
                 </xs:annotation>
 
             </xs:attribute>
 
+            <xs:attribute name="adminGroupName" type="xs:string" use="optional" default="Administrators">
 
+                <xs:annotation>
 
+                    <xs:appinfo>
 
+                        <tooltip>The Active Directory group containing HPCC Administrators</tooltip>
 
+                    </xs:appinfo>
 
+                </xs:annotation>
 
+            </xs:attribute>
 
             <xs:attribute name="ldapPort" type="xs:nonNegativeInteger" use="optional" default="389">
 
                 <xs:annotation>
 
                     <xs:appinfo>

+ 19 - 7
system/security/LdapSecurity/ldapconnection.cpp
Näytä tiedosto 

@@ -250,6 +250,7 @@ private:
 
 
     int                  m_ldapport;
 
     int                  m_ldap_secure_port;
 
+    StringBuffer         m_adminGroupName;
 
     StringBuffer         m_protocol;
 
     StringBuffer         m_basedn;
 
     StringBuffer         m_domain;
 
@@ -393,6 +394,12 @@ public:
 
         {
 
             throw MakeStringException(-1, "getServerInfo error - %s", ldap_err2string(rc));
 
         }
 
+
 
+        m_adminGroupName.clear();
 
+        cfg->getProp(".//@adminGroupName", m_adminGroupName);
 
+        if(m_adminGroupName.isEmpty())
 
+            m_adminGroupName.set(m_serverType == ACTIVE_DIRECTORY ? "Administrators" : "Directory Administrators");
 
+
 
         const char* basedn = cfg->queryProp(".//@commonBasedn");
 
         if(basedn == NULL || *basedn == '\0')
 
         {
 
@@ -531,6 +538,11 @@ public:
 
             m_sdfieldname.append("aci");
 
     }
 
 
+    virtual const char * getAdminGroupName()
 
+    {
 
+        return m_adminGroupName.str();
 
+    }
 
+
 
     virtual LdapServerType getServerType()
 
     {
 
         return m_serverType;
 
@@ -4922,16 +4934,16 @@ private:
 
         LdapServerType stype = m_ldapconfig->getServerType();
 
         if(stype == ACTIVE_DIRECTORY)
 
         {
 
-            groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
 
-        }
 
-        else if(stype == IPLANET)
 
-        {
 
-            groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
 
+            if (0 == stricmp(m_ldapconfig->getAdminGroupName(), "Administrators"))
 
+                groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
 
+            else
 
+                groupdn.appendf("cn=%s,%s", m_ldapconfig->getAdminGroupName(), m_ldapconfig->getGroupBasedn());
 
         }
 
-        else if(stype == OPEN_LDAP)
 
+        else if(stype == IPLANET || stype == OPEN_LDAP)
 
         {
 
-            groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
 
+            groupdn.appendf("cn=%s,%s", m_ldapconfig->getAdminGroupName(), m_ldapconfig->getBasedn());
 
         }
 
+
 
     }
 
 
     virtual void changeUserMemberOf(const char* action, const char* userdn, const char* groupdn)