search

thelastpickle / cassandra-reaper

Automated Repair Awesomeness for Apache Cassandra
http://cassandra-reaper.io/
Apache License 2.0
490 stars 218 forks source link

Unable to resolve Active Directory Mapped Roles #1247

Open vividlost opened 1 year ago

vividlost commented 1 year ago

Project board link

With Shiro.ini configuration as below, I was able to authenticate with LDAP and map group to roles, however Reaper doesn't resolve/recognize the roles.

[main]
...

adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://adserver:389
adRealm.systemUsername = admin
adRealm.systemPassword = ******
adRealm.searchBase = "DC=company,DC=test"
adRealm.groupRolesMap = "CN=grp-reaper-stg-user,OU=company Groups,DC=company,DC=test":"user","CN=grp-reaper-stg-oper,OU=company Groups,DC=company,DC=test":"operator"
adRealm.authorizationCachingEnabled = false
adRealm.principalSuffix = @company.test

securityManager.realm = $adRealm

#rolePermissionResolver = org.apache.shiro.authz.permission.RolePermissionResolver
#authorizer.rolePermissionResolver = $rolePermissionResolver

# Disable global filters introduced in Shiro 1.6.0 as they break our redirects.
filterChainResolver.globalFilters = null

[roles]
operator = *
user = *:read

# default authentication is the following hardcoded admin user
[users]
admin = admin, operator

Reaper.log shows the LDAP user was mapped with roles

DEBUG  [2022-12-06 00:00:00,944] [dw-40] o.a.s.r.a.ActiveDirectoryRealm - Retrieving group names for user [CN=e123456,OU=company Users]
DEBUG  [2022-12-06 00:00:00,945] [dw-40] o.a.s.r.a.ActiveDirectoryRealm - Groups found for user [e123456]: [CN=grp-reaper-stg-oper,OU=company Groups,DC=company,DC=test, CN=grp-reaper-stg-user,OU=company Groups,DC=company,DC=test]
DEBUG  [2022-12-06 00:00:00,945] [dw-40] o.a.s.r.a.ActiveDirectoryRealm - User is member of group [CN=grp-reaper-stg-oper,OU=company Groups,DC=company,DC=test] so adding role [operator]
DEBUG  [2022-12-06 00:00:00,945] [dw-40] o.a.s.r.a.ActiveDirectoryRealm - User is member of group [CN=grp-reaper-stg-user,OU=company Groups,DC=company,DC=test] so adding role [user]

Yet still getting following error message while trying to add a cluster on WEBUI. "Unauthorized create operation for user: e123456."

Also tried to set rolePermissionResolver but got below error in cassandra-reaper.err while starting Reaper. "rolePermissionResolver = org.apache.shiro.authz.permission.RolePermissionResolver"

find: '/usr/share/polkit-1/rules.d': Permission denied
org.apache.shiro.config.ConfigurationException: Unable to instantiate class [org.apache.shiro.authz.permission.RolePermissionResolver] for object named 'rolePermissionResolver'.  Please ensure you've specified the fully qualified class name correctly.

┆Issue is synchronized with this Jira Story by Unito ┆Issue Number: REAP-81

adejanovski commented 1 year ago

Sadly I don't think we support roles mapping indeed. Definitely something that should be added if possible.