HUE-8821 [core] Fix Hue LDAP StartTLS implementation

Review Request #13910 - Created April 26, 2019 and updated

Prakash Ranade
hue
master
hue
bgooley, jgauthier, johan, ranade, romain, subrata, weixia, yingc
commit f4271a17977edcc1d4b664f4826ded91cf737647
Author: Prakash Ranade <ranade@cloudera.com>
Date:   Fri Apr 26 16:21:30 2019 -0700

    HUE-8821 [core] Fix Hue LDAP StartTLS implementation
    
    In testing LDAPS SSL based setup, python ldap module does not need explicit start_tls operation it by default enables secure communication.

:100644 100644 8ef997530a d4480e267d M	apps/useradmin/src/useradmin/ldap_access.py
:100644 100644 78510db3b1 a84c64de71 M	desktop/core/src/desktop/auth/backend.py

Tested using ldaps url.

  • 0
  • 0
  • 0
  • 1
  • 1
Description From Last Updated
  1. 
      
  2. This looks fine, but we're again changing the configuration that was done by the user.

    1. ...or we could look at this as us saving a step for the Hue admin. If they have specified "ldaps" and have not expliciltly disabled StartTLS, then authentication will fail and the hadoop admin will need to find a single WARN line in the code telling them that StartTLS + LDAPS is not ok.
      With the code change, now we simply ignore StartTLS and continue.

      Since LDAPS is specified, that means the transmitted data will be encrypted. There is no feature loss here and the goal of securing LDAP communication is accomplished. If someone specifies an "ldaps://" scheme then they know they are configuring to use a TLS-only port which obviates any usefulness of StartTLS.

  3. 
      
  1. Ship It!
  2. 
      
  1. Ship It!
  2. 
      
Loading...