apache · zhongjiajie · Jun 17, 2022 · Jun 15, 2022 · Jun 15, 2022 · Jun 15, 2022
@@ -226,6 +226,7 @@ security.authentication.ldap.username|cn=read-only-admin,dc=example,dc=com|LDAP
 security.authentication.ldap.password|password|LDAP password
 security.authentication.ldap.user.identity.attribute|uid|LDAP user identity attribute 
 security.authentication.ldap.user.email.attribute|mail|LDAP user email attribute
+security.authentication.ldap.user.not.exist.action|CREATE|action when LDAP user is not exist. Default CREATE: automatically create user when user not exist, DENY: deny log-in when user not exist
 
 ### master.properties [master-service log config]
 

@@ -217,7 +217,7 @@ security.authentication.ldap.username|cn=read-only-admin,dc=example,dc=com|LDAP
 security.authentication.ldap.password|password|LDAP密码
 security.authentication.ldap.user.identity.attribute|uid|LDAP用户身份标识字段名
 security.authentication.ldap.user.email.attribute|mail|LDAP邮箱字段名
-
+security.authentication.ldap.user.not.exist.action|CREATE|当LDAP用户不存在时执行的操作。CREATE：当用户不存在时自动新建用户, DENY：当用户不存在时拒绝登陆
 
 ## 6.master.properties [Master服务配置]
 |参数 |默认值| 描述| 

@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.dolphinscheduler.api.security;
+
+import com.baomidou.mybatisplus.annotation.EnumValue;
+
+/**
+ * ldap user not exist action type
+ */
+public enum LdapUserNotExistActionType {
+
+    CREATE(0, "automatically create user when user not exist"),
+    DENY(1, "deny log-in when user not exist"),
+    ;
+
+    LdapUserNotExistActionType(int code, String desc) {
+        this.code = code;
+        this.desc = desc;
+    }
+
+    @EnumValue
+    private final int code;
+    private final String desc;
+}
@@ -17,6 +17,7 @@
 
 package org.apache.dolphinscheduler.api.security.impl.ldap;
 
+import org.apache.dolphinscheduler.api.security.LdapUserNotExistActionType;
 import org.apache.dolphinscheduler.api.security.impl.AbstractAuthenticator;
 import org.apache.dolphinscheduler.api.service.UsersService;
 import org.apache.dolphinscheduler.dao.entity.User;
@@ -37,7 +38,10 @@ public User login(String userId, String password, String extra) {
             //check if user exist
             user = usersService.getUserByUserName(userId);
             if (user == null) {
-                user = usersService.createUser(ldapService.getUserType(userId), userId, ldapEmail);
+                LdapUserNotExistActionType type = ldapService.getLdapUserNotExistAction();
+                if(type == LdapUserNotExistActionType.CREATE){
+                    user = usersService.createUser(ldapService.getUserType(userId), userId, ldapEmail);
+                }
             }
         }
         return user;

@@ -17,8 +17,11 @@
 
 package org.apache.dolphinscheduler.api.security.impl.ldap;
 
+import org.apache.dolphinscheduler.api.security.LdapUserNotExistActionType;
 import org.apache.dolphinscheduler.common.enums.UserType;
 
+import org.apache.commons.lang3.StringUtils;
+
 import java.util.Properties;
 
 import javax.naming.Context;
@@ -63,6 +66,9 @@ public class LdapService {
     @Value("${security.authentication.ldap.user.email.attribute:null}")
     private String ldapEmailAttribute;
 
+    @Value("${security.authentication.ldap.user.not.exist.action:CREATE}")
+    private String ldapUserNotExistAction;
+
     /***
      * get user type by configured admin userId
      * @param userId login userId
@@ -130,4 +136,13 @@ Properties getManagerLdapEnv() {
         env.put(Context.PROVIDER_URL, ldapUrls);
         return env;
     }
+
+    public LdapUserNotExistActionType getLdapUserNotExistAction(){
+        if (StringUtils.isBlank(ldapUserNotExistAction)) {
+            logger.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
+            return LdapUserNotExistActionType.CREATE;
+        }
+
+        return LdapUserNotExistActionType.valueOf(ldapUserNotExistAction);
+    }
 }
@@ -143,6 +143,8 @@ security:
       password: password
       user.identity.attribute: uid
       user.email.attribute: mail
+      # action when ldap user is not exist (supported types: CREATE,DENY)
+      user.not.exist.action: CREATE
 
 # Override by profile
 

@@ -18,10 +18,12 @@
 package org.apache.dolphinscheduler.api.security;
 
 import org.apache.dolphinscheduler.api.controller.AbstractControllerTest;
+import org.apache.dolphinscheduler.api.security.impl.ldap.LdapService;
 
 import org.junit.Assert;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.test.context.TestPropertySource;
 
 @TestPropertySource(properties = {
@@ -32,9 +34,18 @@ public class SecurityConfigLDAPTest extends AbstractControllerTest {
     @Autowired
     private SecurityConfig securityConfig;
 
+    @Autowired
+    private LdapService ldapService;
+
     @Test
     public void testAuthenticator() {
         Authenticator authenticator = securityConfig.authenticator();
         Assert.assertNotNull(authenticator);
     }
+
+    @Test
+    public void testLdapUserNotExistAction() {
+        LdapUserNotExistActionType authenticator = ldapService.getLdapUserNotExistAction();
+        Assert.assertEquals(LdapUserNotExistActionType.CREATE, authenticator);
+    }
 }
@@ -21,6 +21,7 @@
 
 import org.apache.dolphinscheduler.api.controller.AbstractControllerTest;
 import org.apache.dolphinscheduler.api.enums.Status;
+import org.apache.dolphinscheduler.api.security.LdapUserNotExistActionType;
 import org.apache.dolphinscheduler.api.service.SessionService;
 import org.apache.dolphinscheduler.api.service.UsersService;
 import org.apache.dolphinscheduler.api.utils.Result;
@@ -30,6 +31,7 @@
 import org.apache.dolphinscheduler.dao.entity.User;
 
 import java.util.Date;
+import java.util.Map;
 import java.util.UUID;
 
 import javax.servlet.http.HttpServletRequest;
@@ -56,6 +58,7 @@
                 "security.authentication.ldap.password=password",
                 "security.authentication.ldap.user.identity.attribute=uid",
                 "security.authentication.ldap.user.email.attribute=mail",
+                "security.authentication.ldap.user.not.exist.action=CREATE",
         })
 public class LdapAuthenticatorTest extends AbstractControllerTest {
     private static Logger logger = LoggerFactory.getLogger(LdapAuthenticatorTest.class);
@@ -98,23 +101,30 @@ public void setUp() {
         mockSession.setIp(ip);
         mockSession.setUserId(1);
         mockSession.setLastLoginTime(new Date());
-
     }
 
     @Test
     public void testAuthenticate() {
-        when(sessionService.createSession(Mockito.any(User.class), Mockito.eq(ip))).thenReturn(mockSession.getId());
         when(ldapService.ldapLogin(ldapUid, ldapUserPwd)).thenReturn(ldapEmail);
+        when(sessionService.createSession(Mockito.any(User.class), Mockito.eq(ip))).thenReturn(mockSession.getId());
 
-        Result result = ldapAuthenticator.authenticate(ldapUid, ldapUserPwd, ip);
+        // test username pwd correct and user not exist, config user not exist action deny, so login denied
+        when(ldapService.getLdapUserNotExistAction()).thenReturn(LdapUserNotExistActionType.DENY);
+        Result<Map<String, String>> result = ldapAuthenticator.authenticate(ldapUid, ldapUserPwd, ip);
+        Assert.assertEquals(Status.USER_NAME_PASSWD_ERROR.getCode(), (int) result.getCode());
+
+        // test username pwd correct and user not exist, config user not exist action create, so login success
+        when(ldapService.getLdapUserNotExistAction()).thenReturn(LdapUserNotExistActionType.CREATE);
+        result = ldapAuthenticator.authenticate(ldapUid, ldapUserPwd, ip);
         Assert.assertEquals(Status.SUCCESS.getCode(), (int) result.getCode());
         logger.info(result.toString());
 
+        // test username pwd correct and user not exist, config action create but can't create session, so login failed
         when(sessionService.createSession(Mockito.any(User.class), Mockito.eq(ip))).thenReturn(null);
-
         result = ldapAuthenticator.authenticate(ldapUid, ldapUserPwd, ip);
         Assert.assertEquals(Status.LOGIN_SESSION_FAILED.getCode(), (int) result.getCode());
 
+        // test username pwd error, login failed
         when(ldapService.ldapLogin(ldapUid, ldapUserPwd)).thenReturn(null);
         result = ldapAuthenticator.authenticate(ldapUid, ldapUserPwd, ip);
         Assert.assertEquals(Status.USER_NAME_PASSWD_ERROR.getCode(), (int) result.getCode());

@@ -47,6 +47,7 @@
                 "security.authentication.ldap.password=password",
                 "security.authentication.ldap.user.identity.attribute=uid",
                 "security.authentication.ldap.user.email.attribute=mail",
+                "security.authentication.ldap.user.not.exist.action=CREATE",
         })
 public class LdapServiceTest {
     @Autowired

@@ -101,6 +101,8 @@ security:
       password: password
       user.identity.attribute: uid
       user.email.attribute: mail
+      # action when ldap user is not exist (supported types: CREATE,DENY)
+      user.not.exist.action: CREATE
 
 master:
   listen-port: 5678