org.apache.ambari.server.security.ldap

Class AmbariLdapDataPopulator

java.lang.Object

org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator

public class AmbariLdapDataPopulator
extends Object

Provides users, groups and membership population from LDAP catalog.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	AmbariLdapDataPopulator.LdapGroupContextMapper
protected static class	AmbariLdapDataPopulator.LdapUserContextMapper

Field Summary

Fields

Modifier and Type	Field and Description
protected LdapServerProperties	ldapServerProperties LDAP specific properties.

Constructor Summary

Constructors

Constructor and Description
AmbariLdapDataPopulator(com.google.inject.Provider<AmbariLdapConfiguration> configurationProvider, Users users) Construct an AmbariLdapDataPopulator.

Method Summary

Modifier and Type	Method and Description
protected void	addLdapGroup(LdapBatchDto batchInfo, Map<String,Group> internalGroupsMap, LdapGroupDto groupDto)
protected void	cleanUpLdapUsersWithoutGroup() Removes synced users which are not present in any of group.
protected org.springframework.ldap.filter.Filter	createCustomMemberFilter(String memberAttributeValue, String syncMemberFilter) Use custom member filter.
protected org.springframework.ldap.core.support.LdapContextSource	createLdapContextSource() LdapContextSource factory method.
protected org.springframework.ldap.core.LdapTemplate	createLdapTemplate(org.springframework.ldap.core.support.LdapContextSource ldapContextSource) LdapTemplate factory method.
protected org.springframework.ldap.control.PagedResultsDirContextProcessor	createPagingProcessor() PagedResultsDirContextProcessor factory method.
protected Set<LdapGroupDto>	getExternalLdapGroupInfo() Retrieves groups from external LDAP server.
protected Set<LdapUserDto>	getExternalLdapUserInfo() Retrieves users from external LDAP server.
protected Map<String,Group>	getInternalGroups() Creates a map of internal groups.
protected Map<String,User>	getInternalMembers(String groupName) Creates a map of internal users present in specified group.
protected Map<String,User>	getInternalUsers() Creates a map of internal users.
protected LdapGroupDto	getLdapGroupByMemberAttr(String memberAttributeValue) Get the LDAP group member for the given member attribute.
protected Set<LdapGroupDto>	getLdapGroups(String groupName) Get the set of LDAP groups for the given group name.
LdapSyncDto	getLdapSyncInfo() Retrieves information about external groups and users and their synced/unsynced state.
protected LdapUserDto	getLdapUserByMemberAttr(String memberAttributeValue) Get the LDAP user member for the given member attribute.
protected Set<LdapUserDto>	getLdapUsers(String username) Get the set of LDAP users for the given user name.
protected String	getUniqueIdByMemberPattern(String memberAttributeValue, String pattern) Replace memberAttribute value by a custom pattern to get the DN or id (like memberUid) of a user/group.
boolean	isLdapEnabled() Check if LDAP is enabled in server properties.
protected boolean	isMemberAttributeBaseDn(String memberAttributeValue) Determines that the member attribute can be used as a 'dn'
protected org.springframework.ldap.core.LdapTemplate	loadLdapTemplate() Checks LDAP configuration for changes and reloads LDAP template if they occurred.
protected void	refreshGroupMembers(LdapBatchDto batchInfo, LdapGroupDto group, Map<String,User> internalUsers, Map<String,Group> internalGroupsMap, Set<String> groupMemberAttributes, boolean recursive, boolean collectIgnoredUsers) Check group members of the synced group: add missing ones and remove the ones absent in external LDAP.
LdapBatchDto	synchronizeAllLdapGroups(LdapBatchDto batchInfo, boolean collectIgnoredUsers) Performs synchronization of all groups.
LdapBatchDto	synchronizeAllLdapUsers(LdapBatchDto batchInfo, boolean collectIgnoredUsers) Performs synchronization of given sets of all users.
LdapBatchDto	synchronizeExistingLdapGroups(LdapBatchDto batchInfo, boolean collectIgnoredUsers) Performs synchronization of existent users and groups.
LdapBatchDto	synchronizeExistingLdapUsers(LdapBatchDto batchInfo, boolean collectIgnoredUsers) Performs synchronization of existent users and groups.
LdapBatchDto	synchronizeLdapGroups(Set<String> groups, LdapBatchDto batchInfo, boolean collectIgnoredUsers) Performs synchronization of given set of groupnames.
LdapBatchDto	synchronizeLdapUsers(Set<String> users, LdapBatchDto batchInfo, boolean collectIgnoredUsers) Performs synchronization of given set of user names.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ldapServerProperties

protected LdapServerProperties ldapServerProperties

LDAP specific properties.

Constructor Detail

AmbariLdapDataPopulator

@Inject
public AmbariLdapDataPopulator(com.google.inject.Provider<AmbariLdapConfiguration> configurationProvider,
                                       Users users)

Construct an AmbariLdapDataPopulator.

Parameters:

configurationProvider - the Ambari configuration

users - utility that provides access to Users

Method Detail

isLdapEnabled

public boolean isLdapEnabled()

Check if LDAP is enabled in server properties.

Returns:

true if enabled

getLdapSyncInfo

public LdapSyncDto getLdapSyncInfo()

Retrieves information about external groups and users and their synced/unsynced state.

Returns:

dto with information

synchronizeAllLdapGroups

public LdapBatchDto synchronizeAllLdapGroups(LdapBatchDto batchInfo,
                                             boolean collectIgnoredUsers)
                                      throws org.apache.ambari.server.AmbariException

Performs synchronization of all groups.

Parameters:

collectIgnoredUsers - true, to collect the set of existing users that would normally be ignored; false, to continue to ignore them

Throws:

org.apache.ambari.server.AmbariException - if synchronization failed for any reason

synchronizeAllLdapUsers

public LdapBatchDto synchronizeAllLdapUsers(LdapBatchDto batchInfo,
                                            boolean collectIgnoredUsers)
                                     throws org.apache.ambari.server.AmbariException

Performs synchronization of given sets of all users.

Parameters:

collectIgnoredUsers - true, to collect the set of existing users that would normally be ignored; false, to continue to ignore them

Throws:

org.apache.ambari.server.AmbariException - if synchronization failed for any reason

synchronizeLdapGroups

public LdapBatchDto synchronizeLdapGroups(Set<String> groups,
                                          LdapBatchDto batchInfo,
                                          boolean collectIgnoredUsers)
                                   throws org.apache.ambari.server.AmbariException

Performs synchronization of given set of groupnames.

Parameters:

groups - set of groups to synchronize

collectIgnoredUsers - true, to collect the set of existing users that would normally be ignored; false, to continue to ignore them

Throws:

org.apache.ambari.server.AmbariException - if synchronization failed for any reason

synchronizeLdapUsers

public LdapBatchDto synchronizeLdapUsers(Set<String> users,
                                         LdapBatchDto batchInfo,
                                         boolean collectIgnoredUsers)
                                  throws org.apache.ambari.server.AmbariException

Performs synchronization of given set of user names.

Parameters:

users - set of users to synchronize

collectIgnoredUsers - true, to collect the set of existing users that would normally be ignored; false, to continue to ignore them

Throws:

org.apache.ambari.server.AmbariException - if synchronization failed for any reason

synchronizeExistingLdapGroups

public LdapBatchDto synchronizeExistingLdapGroups(LdapBatchDto batchInfo,
                                                  boolean collectIgnoredUsers)
                                           throws org.apache.ambari.server.AmbariException

Performs synchronization of existent users and groups.

Parameters:

collectIgnoredUsers - true, to collect the set of existing users that would normally be ignored; false, to continue to ignore them

Throws:

org.apache.ambari.server.AmbariException - if synchronization failed for any reason

synchronizeExistingLdapUsers

public LdapBatchDto synchronizeExistingLdapUsers(LdapBatchDto batchInfo,
                                                 boolean collectIgnoredUsers)
                                          throws org.apache.ambari.server.AmbariException

Performs synchronization of existent users and groups.

Parameters:

collectIgnoredUsers - true, to collect the set of existing users that would normally be ignored; false, to continue to ignore them

Throws:

org.apache.ambari.server.AmbariException - if synchronization failed for any reason

refreshGroupMembers

protected void refreshGroupMembers(LdapBatchDto batchInfo,
                                   LdapGroupDto group,
                                   Map<String,User> internalUsers,
                                   Map<String,Group> internalGroupsMap,
                                   Set<String> groupMemberAttributes,
                                   boolean recursive,
                                   boolean collectIgnoredUsers)
                            throws org.apache.ambari.server.AmbariException

Check group members of the synced group: add missing ones and remove the ones absent in external LDAP.

Parameters:

batchInfo - batch update object

group - ldap group

internalUsers - map of internal users

groupMemberAttributes - set of group member attributes that have already been refreshed

recursive - if disabled, it won't refresh members recursively (its not needed in case of all groups are processed)

collectIgnoredUsers - true, to collect the set of existing users that would normally be ignored; false, to continue to ignore them

Throws:

org.apache.ambari.server.AmbariException - if group refresh failed

getLdapGroups

protected Set<LdapGroupDto> getLdapGroups(String groupName)

Get the set of LDAP groups for the given group name.

Parameters:

groupName - the group name

Returns:

the set of LDAP groups for the given name

getLdapUsers

protected Set<LdapUserDto> getLdapUsers(String username)

Get the set of LDAP users for the given user name.

Parameters:

username - the user name

Returns:

the set of LDAP users for the given name

getLdapUserByMemberAttr

protected LdapUserDto getLdapUserByMemberAttr(String memberAttributeValue)

Get the LDAP user member for the given member attribute.

Parameters:

memberAttributeValue - the member attribute value

Returns:

the user for the given member attribute; null if not found

getLdapGroupByMemberAttr

protected LdapGroupDto getLdapGroupByMemberAttr(String memberAttributeValue)

Get the LDAP group member for the given member attribute.

Parameters:

memberAttributeValue - the member attribute value

Returns:

the group for the given member attribute; null if not found

createCustomMemberFilter

protected org.springframework.ldap.filter.Filter createCustomMemberFilter(String memberAttributeValue,
                                                                          String syncMemberFilter)

Use custom member filter. Replace {member} with the member attribute. E.g.: (&(objectclass=posixaccount)(dn={member})) -> (&(objectclass=posixaccount)(dn=cn=mycn,dc=apache,dc=org))

getUniqueIdByMemberPattern

protected String getUniqueIdByMemberPattern(String memberAttributeValue,
                                            String pattern)

Replace memberAttribute value by a custom pattern to get the DN or id (like memberUid) of a user/group. E.g.: memberAttribute=",cn=mycn,dc=org,dc=apache" Apply on (?.*);(?.*);(?.*) pattern, then the result will be: "${member}"

cleanUpLdapUsersWithoutGroup

protected void cleanUpLdapUsersWithoutGroup()
                                     throws org.apache.ambari.server.AmbariException

Removes synced users which are not present in any of group.

Throws:

org.apache.ambari.server.AmbariException

addLdapGroup

protected void addLdapGroup(LdapBatchDto batchInfo,
                            Map<String,Group> internalGroupsMap,
                            LdapGroupDto groupDto)

isMemberAttributeBaseDn

protected boolean isMemberAttributeBaseDn(String memberAttributeValue)

Determines that the member attribute can be used as a 'dn'

getExternalLdapGroupInfo

protected Set<LdapGroupDto> getExternalLdapGroupInfo()

Retrieves groups from external LDAP server.

Returns:

set of info about LDAP groups

getExternalLdapUserInfo

protected Set<LdapUserDto> getExternalLdapUserInfo()

Retrieves users from external LDAP server.

Returns:

set of info about LDAP users

getInternalGroups

protected Map<String,Group> getInternalGroups()

Creates a map of internal groups.

Returns:

map of GroupName-Group pairs

getInternalUsers

protected Map<String,User> getInternalUsers()

Creates a map of internal users.

Returns:

map of UserName-User pairs

getInternalMembers

protected Map<String,User> getInternalMembers(String groupName)

Creates a map of internal users present in specified group.

Parameters:

groupName - group name

Returns:

map of UserName-User pairs

loadLdapTemplate

protected org.springframework.ldap.core.LdapTemplate loadLdapTemplate()

Checks LDAP configuration for changes and reloads LDAP template if they occurred.

Returns:

LdapTemplate instance

createLdapContextSource

protected org.springframework.ldap.core.support.LdapContextSource createLdapContextSource()

LdapContextSource factory method.

Returns:

new context source

createPagingProcessor

protected org.springframework.ldap.control.PagedResultsDirContextProcessor createPagingProcessor()

PagedResultsDirContextProcessor factory method.

Returns:

new processor;

createLdapTemplate

protected org.springframework.ldap.core.LdapTemplate createLdapTemplate(org.springframework.ldap.core.support.LdapContextSource ldapContextSource)

LdapTemplate factory method.

Parameters:

ldapContextSource - the LDAP context source

Returns:

new LDAP template