-
-
Notifications
You must be signed in to change notification settings - Fork 145
BE: RBAC: Impl Active Directory populator #717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
488f5b3
LDAP security config refactoring
Haarolean 4853eca
Merge branch 'main' into chore/rbac_ad
Haarolean 36a62bc
Support AD in LDAP authorities extractor. Resolves #54
Haarolean 9d257c9
Review suggestions
Haarolean 50bae9f
Impl AD role extractor, refactor configs
Haarolean ad1c65e
BE: RBAC: LDAP: Implement `user` subject type for LDAP & AD. Fixes #730
Haarolean 514c053
Review fixes: Make bind authenticator nullable for the AD case
Haarolean daa6cb7
Merge remote-tracking branch 'origin/main' into chore/rbac_ad
Haarolean File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
...ain/java/io/kafbat/ui/service/rbac/extractor/RbacActiveDirectoryAuthoritiesExtractor.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
package io.kafbat.ui.service.rbac.extractor; | ||
|
||
import io.kafbat.ui.model.rbac.Role; | ||
import io.kafbat.ui.model.rbac.provider.Provider; | ||
import io.kafbat.ui.service.rbac.AccessControlService; | ||
import java.util.Collection; | ||
import java.util.stream.Collectors; | ||
import lombok.extern.slf4j.Slf4j; | ||
import org.springframework.context.ApplicationContext; | ||
import org.springframework.ldap.core.DirContextOperations; | ||
import org.springframework.security.core.GrantedAuthority; | ||
import org.springframework.security.core.authority.SimpleGrantedAuthority; | ||
import org.springframework.security.ldap.authentication.ad.DefaultActiveDirectoryAuthoritiesPopulator; | ||
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; | ||
|
||
@Slf4j | ||
public class RbacActiveDirectoryAuthoritiesExtractor implements LdapAuthoritiesPopulator { | ||
|
||
private final DefaultActiveDirectoryAuthoritiesPopulator populator = new DefaultActiveDirectoryAuthoritiesPopulator(); | ||
private final AccessControlService acs; | ||
|
||
public RbacActiveDirectoryAuthoritiesExtractor(ApplicationContext context) { | ||
this.acs = context.getBean(AccessControlService.class); | ||
} | ||
|
||
@Override | ||
public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) { | ||
var adGroups = populator.getGrantedAuthorities(userData, username) | ||
.stream() | ||
.map(GrantedAuthority::getAuthority) | ||
.peek(group -> log.trace("Found AD group [{}] for user [{}]", group, username)) | ||
.collect(Collectors.toSet()); | ||
|
||
return acs.getRoles() | ||
.stream() | ||
.filter(r -> r.getSubjects() | ||
.stream() | ||
.filter(subject -> subject.getProvider().equals(Provider.LDAP_AD)) | ||
.filter(subject -> subject.getType().equals("group")) | ||
Haarolean marked this conversation as resolved.
Show resolved
Hide resolved
|
||
.anyMatch(subject -> adGroups.contains(subject.getValue())) | ||
) | ||
.map(Role::getName) | ||
.peek(role -> log.trace("Mapped role [{}] for user [{}]", role, username)) | ||
.map(SimpleGrantedAuthority::new) | ||
.collect(Collectors.toSet()); | ||
} | ||
} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.