HUE-7073 \[backend\] When user is login using LdapBackEnd, restrict certain characters from the Hue login name.

Review Request #11295 - Created Aug. 7, 2017 and discarded

Prakash Ranade
hue
master
HUE-7073
hue
enricoberti, jennykim, jgauthier, johan, krish, ranade, romain, subrata, weixia, yingc
commit 5d56e51d061ba08258e55101ba6a3c8c093ba782
Author: Prakash Ranade <ranade@cloudera.com>
Date:   Tue Aug 22 12:55:04 2017 -0700

    HUE-7073 [backend] When user is login using LdapBackEnd, restrict certain characters from the Hue login name.
    
    When LDAPBackEnd is used we would like to prevents '(', ')' and '*' as character in login name.

:100644 100644 e4a1c69ad. d29cf06... M	desktop/core/src/desktop/auth/forms.py
:100644 100644 27c9530... 8febf36... M	desktop/core/src/desktop/auth/views_test.py


  • 0
  • 0
  • 1
  • 0
  • 1
Description From Last Updated
  1. If this is a LDAP specific issue, why don't we check for it at the LDAP backend only?
    (and avoid potential bakward imcompatibility changes and update the full username policy in general)

  2. apps/useradmin/src/useradmin/forms.py (Diff revision 1)
     
     

    must --> Must

  3. 
      
  1. If this is a LDAP specific issue, why don't we check for it at the LDAP backend only?
    (and avoid potential bakward imcompatibility changes and update the full username policy in general)

    1. Is it possible to change the backend after users are created? If so, shouldn't we apply a least common denominator approach to the username policy?

    2. Romain, I believe we should fix for all backends. Currently it is breaking for LDAP backend but in past we have seen "<script>" tag causing XSS in username. I can provide hue management command which can alert bad username identification.

    3. But that would be a frontend issue though? (like any text we display in Hue, users can put whatever them want already and we escape it automatically).

      Mostly worried we will hit some cornercases where some usernames have these special characters for some reasons and they can't login in Hue. Filtering in the LDAP backend is less restrictive, and if they switch backends it does not matter as it will not conflict there.

  2. 
      
  1. Nice!

    Just add a test case to https://github.com/cloudera/hue/blob/master/desktop/core/src/desktop/auth/views_test.py#L134 ?

  2. 
      
  1. run test specific passing?

  2. 
      
Review request changed

Status: Discarded

Loading...