[ADH-5161] Add service to docker-compose file for ldap

build-images.sh

@@ -80,6 +80,8 @@ case $CLUSTER_TYPE in
 
     docker build -f ./supports/tools/docker/multihost/kerberos/Dockerfile-kdc -t cloud-hub.adsw.io/library/ssm-kdc-server:${HADOOP_VERSION} .
 
+    docker build -f ./supports/tools/docker/multihost/ldap/Dockerfile-samba -t hub.adsw.io/qa-samba/samba:demo .
+
     docker build -f ./supports/tools/docker/multihost/datanode/Dockerfile-hadoop-datanode -t cloud-hub.adsw.io/library/hadoop-datanode:${HADOOP_VERSION} .
 
     docker build -f ./supports/tools/docker/multihost/namenode/Dockerfile-hadoop-namenode -t cloud-hub.adsw.io/library/hadoop-namenode:${HADOOP_VERSION} .

conf/smart-default.xml

@@ -648,4 +648,12 @@
         PASSWORD_COMPARE: search user by specified filters and use LDAP password compare operation
     </description>
   </property>
+
+  <property>
+    <name>smart.rest.server.auth.failures.logging.enabled</name>
+    <value>true</value>
+    <description>
+      Whether to enable unsuccessful REST server auth attempts.
+    </description>
+  </property>
 </configuration>

docs/rest-server-auth.md

@@ -96,14 +96,14 @@ and `smart.rest.server.auth.ldap.user.search.groups`
 
 Supported options:
 
-| Name                                                   | Default      | Description                                                                                    |
-|--------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------|
-| smart.rest.server.auth.ldap.user.attributes.name       | uid          | The name attribute of user LDAP object                                                         |
-| smart.rest.server.auth.ldap.user.object-classes        | person       | Comma-separated list of LDAP user entry objectClasses                                          |
-| smart.rest.server.auth.ldap.user.attributes.membership | memberOf     | The group membership attribute of user LDAP object                                             |
-| smart.rest.server.auth.ldap.group.object-class         | groupOfNames | LDAP group entry objectClass                                                                   |
-| smart.rest.server.auth.ldap.group.attributes.name      | cn           | The name attribute of group LDAP object                                                        |
-| smart.rest.server.auth.ldap.user.search.groups         | -            | Comma-separated list of groups the user should belong to in order to successfully authenticate |
+| Name                                                   | Default                                                               | Description                                                                                    |
+|--------------------------------------------------------|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
+| smart.rest.server.auth.ldap.user.attributes.name       | uid                                                                   | The name attribute of user LDAP object                                                         |
+| smart.rest.server.auth.ldap.user.object-classes        | person                                                                | Comma-separated list of LDAP user entry objectClasses                                          |
+| smart.rest.server.auth.ldap.user.attributes.membership | memberOf (you should provide this value explicitly in smart-site.xml) | The group membership attribute of user LDAP object                                             |
+| smart.rest.server.auth.ldap.group.object-class         | groupOfNames                                                          | LDAP group entry objectClass                                                                   |
+| smart.rest.server.auth.ldap.group.attributes.name      | cn                                                                    | The name attribute of group LDAP object                                                        |
+| smart.rest.server.auth.ldap.user.search.groups         | -                                                                     | Comma-separated list of groups the user should belong to in order to successfully authenticate |
 
 ### Group member attribute strategy
 
@@ -120,14 +120,14 @@ and `smart.rest.server.auth.ldap.user.search.groups`
 
 Supported options:
 
-| Name                                                | Default      | Description                                                                                    |
-|-----------------------------------------------------|--------------|------------------------------------------------------------------------------------------------|
-| smart.rest.server.auth.ldap.user.attributes.name    | uid          | The name attribute of user LDAP object                                                         |
-| smart.rest.server.auth.ldap.user.object-classes     | person       | Comma-separated list of LDAP user entry objectClasses                                          |
-| smart.rest.server.auth.ldap.group.object-class      | groupOfNames | LDAP group entry objectClass                                                                   |
-| smart.rest.server.auth.ldap.group.attributes.name   | cn           | The name attribute of group LDAP object                                                        |
-| smart.rest.server.auth.ldap.group.attributes.member | member       | The member attribute of group LDAP object                                                      |
-| smart.rest.server.auth.ldap.user.search.groups      | -            | Comma-separated list of groups the user should belong to in order to successfully authenticate |
+| Name                                                | Default                                                             | Description                                                                                    |
+|-----------------------------------------------------|---------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
+| smart.rest.server.auth.ldap.user.attributes.name    | uid                                                                 | The name attribute of user LDAP object                                                         |
+| smart.rest.server.auth.ldap.user.object-classes     | person                                                              | Comma-separated list of LDAP user entry objectClasses                                          |
+| smart.rest.server.auth.ldap.group.object-class      | groupOfNames                                                        | LDAP group entry objectClass                                                                   |
+| smart.rest.server.auth.ldap.group.attributes.name   | cn                                                                  | The name attribute of group LDAP object                                                        |
+| smart.rest.server.auth.ldap.group.attributes.member | member (you should provide this value explicitly in smart-site.xml) | The member attribute of group LDAP object                                                      |
+| smart.rest.server.auth.ldap.user.search.groups      | -                                                                   | Comma-separated list of groups the user should belong to in order to successfully authenticate |
 
 ### User name attribute strategy
 

smart-web-server/src/main/java/org/smartdata/server/config/ConfigKeys.java

@@ -140,4 +140,7 @@ public class ConfigKeys {
 
   public static final String SMART_REST_SERVER_LDAP_BIND_PASSWORD =
       "smart.rest.server.auth.ldap.bind.password";
+
+  public static final String SMART_REST_SERVER_AUTH_ERRORS_LOGGING_ENABLED =
+      "smart.rest.server.auth.failures.logging.enabled";
 }

smart-web-server/src/main/java/org/smartdata/server/config/SecurityConfiguration.java

@@ -18,6 +18,7 @@
 package org.smartdata.server.config;
 
 import org.smartdata.security.SmartPrincipalManager;
+import org.smartdata.server.error.AuthenticationFailureListener;
 import org.smartdata.server.security.SmartPrincipalInitializerFilter;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
@@ -33,13 +34,16 @@
 import java.util.List;
 import java.util.Set;
 
+import static org.smartdata.server.config.ConfigKeys.SMART_REST_SERVER_AUTH_ERRORS_LOGGING_ENABLED;
+import static org.smartdata.server.config.ConfigKeys.WEB_SECURITY_ENABLED;
+
 @Configuration
 public class SecurityConfiguration {
   private static final String SESSION_COOKIE_NAME = "SSM_SESSIONID";
   private static final String API_ENDPOINTS_PATTERN = "/api/**";
 
   @Bean
-  @ConditionalOnProperty(name = ConfigKeys.WEB_SECURITY_ENABLED, havingValue = "true")
+  @ConditionalOnProperty(name = WEB_SECURITY_ENABLED, havingValue = "true")
   public AuthenticationManager authenticationManager(
       List<AuthenticationProvider> authenticationProviders) {
     if (authenticationProviders.isEmpty()) {
@@ -50,7 +54,16 @@ public AuthenticationManager authenticationManager(
   }
 
   @Bean
-  @ConditionalOnProperty(name = ConfigKeys.WEB_SECURITY_ENABLED, havingValue = "true")
+  @ConditionalOnProperty(
+      name = {WEB_SECURITY_ENABLED, SMART_REST_SERVER_AUTH_ERRORS_LOGGING_ENABLED},
+      havingValue = "true"
+  )
+  public AuthenticationFailureListener authenticationFailureListener() {
+    return new AuthenticationFailureListener();
+  }
+
+  @Bean
+  @ConditionalOnProperty(name = WEB_SECURITY_ENABLED, havingValue = "true")
   public SecurityFilterChain securityFilterChain(
       HttpSecurity http,
       SmartPrincipalManager principalManager,
@@ -73,7 +86,7 @@ public SecurityFilterChain securityFilterChain(
 
   @Bean
   @ConditionalOnProperty(
-      name = ConfigKeys.WEB_SECURITY_ENABLED,
+      name = WEB_SECURITY_ENABLED,
       havingValue = "false",
       matchIfMissing = true)
   public SecurityFilterChain disabledSecurityFilterChain(HttpSecurity http) throws Exception {

smart-web-server/src/main/java/org/smartdata/server/error/AuthenticationFailureListener.java

@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.smartdata.server.error;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.ApplicationListener;
+import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
+
+@Slf4j
+public class AuthenticationFailureListener implements
+    ApplicationListener<AbstractAuthenticationFailureEvent> {
+
+  @Override
+  public void onApplicationEvent(AbstractAuthenticationFailureEvent event) {
+    log.error("Failed login attempt for {}",
+        event.getAuthentication().getName(), event.getException());
+  }
+}

supports/tools/docker/README.md

@@ -50,11 +50,13 @@ cd ./supports/tools/docker
 
 Use one of the following credentials to log in to the Web UI
 
-| Login          | Password  | Type     |
-|----------------|-----------|----------|
-| john           | 1234      | static   |
-| krb_user1@DEMO | krb_pass1 | kerberos |
-| krb_user2@DEMO | krb_pass2 | kerberos |
+| Login          | Password      | Type     |
+|----------------|---------------|----------|
+| john           | 1234          | static   |
+| krb_user1@DEMO | krb_pass1     | kerberos |
+| krb_user2@DEMO | krb_pass2     | kerberos |
+| july           | kitty_cat     | ldap     |
+| ben            | bens_password | ldap     |
 
 ### Testing SPNEGO auth
 

supports/tools/docker/multihost/conf/smart-default.xml

@@ -544,4 +544,115 @@
       Whether to enable SSL support for the SSM REST server.
     </description>
   </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.enabled</name>
+    <value>false</value>
+    <description>
+      Whether to enable SSM REST server basic LDAP authentication method support.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.search.base</name>
+    <value></value>
+    <description>
+      Base LDAP distinguished name for search.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.user.search.base</name>
+    <value></value>
+    <description>
+      Base LDAP distinguished name for user search.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.group.search.base</name>
+    <value></value>
+    <description>
+      Base LDAP distinguished name for group search.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.user.attributes.name</name>
+    <value>uid</value>
+    <description>
+      The name attribute of user LDAP object.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.user.object-classes</name>
+    <value>person</value>
+    <description>
+      Comma-separated list of LDAP user entry objectClasses.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.user.search.scope</name>
+    <value>ONE_LEVEL</value>
+    <description>
+      The scope of LDAP user search. Possible values:
+      OBJECT - Search the named object
+      ONE_LEVEL - Search one level of the named context
+      SUBTREE - Search the entire subtree rooted at the named object
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.group.search.scope</name>
+    <value>ONE_LEVEL</value>
+    <description>
+      The scope of LDAP group search. Possible values:
+      OBJECT - Search the named object
+      ONE_LEVEL - Search one level of the named context
+      SUBTREE - Search the entire subtree rooted at the named object
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.user.attributes.password</name>
+    <value>userPassword</value>
+    <description>
+      The password attribute of user LDAP object.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.group.object-class</name>
+    <value>groupOfNames</value>
+    <description>
+      LDAP group entry objectClass.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.group.attributes.name</name>
+    <value>cn</value>
+    <description>
+      The name attribute of group LDAP object.
+    </description>
+  </property>
+
+  <property>
+    <name>smart.rest.server.auth.ldap.auth.type</name>
+    <value>BIND</value>
+    <description>
+      LDAP authentication type. Possible values:
+      BIND: search user by specified filters and authenticate with found user's DN and provided password
+      PASSWORD_COMPARE: search user by specified filters and use LDAP password compare operation
+    </description>
+  </property>
+  <property>
+    <name>smart.rest.server.auth.failures.logging.enabled</name>
+    <value>true</value>
+    <description>
+      Whether to enable unsuccessful REST server auth attempts.
+    </description>
+  </property>
 </configuration>

supports/tools/docker/multihost/conf/smart-site.xml

@@ -91,4 +91,56 @@
         <name>smart.rest.server.auth.spnego.principal</name>
         <value>HTTP/ssm-server.demo@DEMO</value>
     </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.enabled</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.url</name>
+        <value>ldap://samba:389</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.search.base</name>
+        <value>dc=ssm,dc=test</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.user.search.base</name>
+        <value>ou=people,dc=ssm,dc=test</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.group.search.base</name>
+        <value>ou=groups,dc=ssm,dc=test</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.user.attributes.name</name>
+        <value>sAMAccountName</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.user.search.scope</name>
+        <value>SUBTREE</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.group.search.scope</name>
+        <value>SUBTREE</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.auth.type</name>
+        <value>BIND</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.bind.user</name>
+        <value>cn=Administrator,CN=Users,DC=ssm,DC=test</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.bind.password</name>
+        <value>LZ2ibGAn2H0D0UW3</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.user.attributes.membership</name>
+        <value>memberOf</value>
+    </property>
+    <property>
+        <name>smart.rest.server.auth.ldap.user.search.groups</name>
+        <value>developers</value>
+    </property>
 </configuration>

supports/tools/docker/multihost/docker-compose.yaml

@@ -110,6 +110,20 @@ services:
     networks:
       - demo
 
+  samba:
+    image: hub.adsw.io/qa-samba/samba:demo
+    hostname: samba
+    container_name: samba
+    privileged: true
+    ports:
+      - "389:389"
+    environment:
+      SMB_ADMIN_PASSWORD: "LZ2ibGAn2H0D0UW3"
+    volumes:
+      - ./ldap:/opt/ad-scripts
+    networks:
+      - demo
+
 networks:
   demo:
     name: demo

supports/tools/docker/multihost/ldap/Dockerfile-samba

@@ -0,0 +1,4 @@
+FROM hub.adsw.io/library/adcc-test-ubuntu-base:latest-x64
+RUN mkdir -p /opt/ad-scripts
+WORKDIR /opt/ad-scripts
+CMD chmod +x *.sh && ./samba-ad-setup.sh && ./samba-ad-run.sh