Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Atlas LDAP User and Group Search Filtering

Atlas LDAP User and Group Search Filtering

New Contributor

Hi All!!

Introduction

A HDP 2.6.4 Sandbox cluster with user groups like atlas , devops, marketing and sales.I am using FreeIPA on CentOS6 for authentication and kerberos.

Requirement

  1. Allow only users from certain groups like atlas to login to Atlas UI ; by Integrating Atlas with LDAP(s)
  2. Authorize access to the Atlas users based on their roles like devops , marketing and sales.

Here are the approaches, I could think of ....

Approach

Configure User ("atlas.authentication.method.ldap.user.searchfilter") and Group ("atlas.authentication.method.ldap.groupSearchFilter") filtering parameters to restrict login access to Atlas UI.

"atlas.authentication.method.ldap.user.searchfilter" : "(&(uid={0})(memberOf=cn=atlas,cn=groups,cn=accounts,dc=sandbox,dc=hortonworks,dc=com))",

"atlas.authentication.method.ldap.groupSearchFilter" : "(&(objectClass=ipausergroup)(member=uid={0},cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com))",

Results

I was able to authorize access using Ranger to certain roles (atlas , devops) and deny for all others(marketing , sales)...

But the problem was to prevent all ldap users except users in a certain group to login in to Atlas .

Here are the sets of configuration I have tried for User and Group filtering ; as described in few community articles this and this

"atlas.authentication.method.ldap.user.searchfilter" : "(&(uid={0})(memberOf=cn=atlas,cn=groups,cn=accounts,dc=sandbox,dc=hortonworks,dc=com))",
"atlas.authentication.method.ldap.referral" : "ignore",
"atlas.authentication.method.ldap.userDNpattern" : "uid={0},cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com",
"atlas.authentication.method.ldap.base.dn" : "cn=accounts,dc=sandbox,dc=hortonworks,dc=com",
"atlas.authentication.method.file" : "true",
"atlas.authorizer.impl" : "ranger",
"atlas.authentication.method.ldap.default.role" : "ROLE_USER",
"atlas.authentication.method.ldap.bind.dn" : "uid=hdpsandbox-ugsync,cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com",
"atlas.authentication.method.ldap.groupSearchFilter" : "(&(objectClass=ipausergroup)(member=uid={0},cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com))",
"atlas.authentication.method.ldap.type" : "ldap",
"atlas.authentication.method.kerberos" : "true",
"atlas.authentication.method.ldap.groupSearchBase" : "cn=groups,cn=accounts,dc=sandbox,dc=hortonworks,dc=com",
"atlas.authentication.method.ldap.groupRoleAttribute" : "cn",
"atlas.authentication.method.ldap" : "true",
"atlas.authentication.method.ldap.url" : "ldap://sandbox.hortonworks.com:389",

We can translate above configuration into following ldapsearch queries and they work fine in filtering the users and groups. The user salesdemo us not part of atlas group and hence should be denied access to Atlas UI :

Group Search Filtering

ldapsearch -W -H ldap://sandbox.hortonworks.com:389 -D "uid=hdpsandbox-ugsync,cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com" -b "cn=groups,cn=accounts,dc=sandbox,dc=hortonworks,dc=com" "(member=uid=salesdemo,cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com)"

As expected will list out all the groups user `salesdemo` is part of

User Search Filtering

ldapsearch -W -H ldap://sandbox.hortonworks.com:389 -D "uid=hdpsandbox-ugsync,cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com" -b "uid=salesdemo,cn=users,cn=accounts,dc=sandbox,dc=hortonworks,dc=com" "(&(uid=salesdemo)(memberOf=cn=atlas,cn=groups,cn=accounts,dc=sandbox,dc=hortonworks,dc=com))"

As expected `salesdemo` user will not be part of the results as it is not a member of `atlas` group.

Unfortunately the user salesdemo is able to login to Atlas UI ( but Ranger Authorization will deny access to Atlas Resources). Is my understanding of User and Group Search Filtering in Atlas wrong ? Is there anyway to restrict login access to users of specific groups (like atlas)? Any reference to the documentation that describes these two parameters in more detail ?

1 REPLY 1

Re: Atlas LDAP User and Group Search Filtering

New Contributor

I have attached debug logs for Atlas Application for following user login ( Ignore the KnoxSSO logs I am bypassing to direct Atlas LDAP Authentication with login.jsp)

User : atlas_user , Groups : atlas

Expected : This user is part of atlas group and hence should be allowed to login and has read authoriation

Results : As expected u can see in the log user was able to login to ldap and then in Atlas has authroization to read.

Log File : atlas-debug.txt

User : salesdemo , Groups: sales

Expected : This user is not part of atlas group and hence shouldn't have login access ;

Results : User was able to access Atlas ( despite not being part of Atlas Groups) but denied resources since doesn't have authorisation.

Log File : atlas-debug-salesdemo.txt

As you can check from logs Atlas User and Group search filters aren't login anything in the application log and was able to login regardless of group membership.