Skip to content

KNOX-3374: Fix inherited roles missing from auth headers when LDAP ro…#1300

Merged
hanicz merged 1 commit into
apache:masterfrom
hanicz:KNOX-3374
Jul 8, 2026
Merged

KNOX-3374: Fix inherited roles missing from auth headers when LDAP ro…#1300
hanicz merged 1 commit into
apache:masterfrom
hanicz:KNOX-3374

Conversation

@hanicz

@hanicz hanicz commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

…les-lookup interceptor is active

KNOX-3374 - Inherited roles missing from auth headers when LDAP roles-lookup interceptor is active

What changes were proposed in this pull request?

  • KnoxLDAPServerManager.getUserGroups() now attaches a RolesLookupBypassControl to its LDAP search, so it returns raw group names instead of interceptor-rewritten role names.
  • Eliminates a double roles-lookup: LDAPRolesLookupInterceptor was rewriting memberOf to roles, and AbstractAuthResource then called the roles API again with those roles-as-groups — which returned only the user's direct roles, dropping inherited ones.
  • External LDAP-proxy clients are unaffected; the interceptor still rewrites memberOf on their searches.
  • New KnoxLDAPServerManagerTest#testGetUserGroupsReturnsRawGroupsEvenWhenRolesInterceptorRewritesMemberOf — installs the real roles interceptor over a test entries interceptor serving a user with memberOf group DNs; asserts getUserGroups returns raw group names, not the mocked roles.

How was this patch tested?

Unit tests
E2Etests:

Roles:

[
  { "id": "admin", "type": "user",
    "roles": [ { "scope": "console", "name": "admin" } ] },
  { "id": "me-test-group-a", "type": "group",
    "roles": [ { "scope": "ws-1", "name": "viewer" } ] },
  { "id": "me-test-group-b", "type": "group",
    "roles": [ { "scope": "ws-2", "name": "user" } ] }
]

Without changes:

ldapsearch -x -H ldap://localhost:10389 \
  -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -w admin-password \
  -b "dc=hadoop,dc=apache,dc=org" "(uid=admin)" memberOf

# admin, people, hadoop.apache.org
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
memberOf: cn=ws-1:viewer,ou=groups,ou=groups,dc=hadoop,dc=apache,dc=org
memberOf: cn=ws-2:user,ou=groups,ou=groups,dc=hadoop,dc=apache,dc=org
curl -kvs -u admin:admin-password \
  https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz/anything

< username: admin
< roles: console:admin

With the fix:

ldapsearch -x -H ldap://localhost:10389 \
  -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -w admin-password \
  -b "dc=hadoop,dc=apache,dc=org" "(uid=admin)" memberOf

# admin, people, hadoop.apache.org
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
memberOf: cn=ws-1:viewer,ou=groups,ou=groups,dc=hadoop,dc=apache,dc=org
memberOf: cn=ws-2:user,ou=groups,ou=groups,dc=hadoop,dc=apache,dc=org
curl -kvs -u admin:admin-password \
  https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz/anything

< username: admin
< roles: ws-1:viewer,console:admin,ws-2:user

Integration Tests

N/A

UI changes

N/A

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Test Results

32 tests   32 ✅  3s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit b4dfa93.

@hanicz hanicz added the ldap label Jul 8, 2026

@pzampino pzampino left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hanicz hanicz merged commit 7b34b7c into apache:master Jul 8, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants