LDAP AuthN and AuthZ for Spring Cloud Data Flow

0
votes

SCDF Server for Cloudfoundry: 1.2.4.RELEASE

Configuring the security properties for LDAP authentication, and I have the authentication part working, but authorization is proving a little strange.

SCDF's security implementation appears to be looking for some roles like this: ROLE_CREATE, ROLE_MANAGE, ROLE_VIEW.

But for me, the standard group names require some specific naming convention in AD similar to the following: app_myapplication_authz_CREATE, app_myapplication_authz_MANAGE, and app_myapplication_authz_VIEW

When I debug through the SCDF authentication output, I can see that my authenticated principal's group memberships are being retrieved correctly. They show up in the DEBUG output as: ROLE_APP_MYAPPLICATION_AUTHZ_CREATE, ROLE_APP_MYAPPLICATION_AUTHZ_MANAGE, ROLE_APP_MYAPPLICATION_AUTHZ_VIEW

Now, I include a YML security configuration that looks like this: 

spring: 
  cloud: 
    dataflow: 
      security: 
        authorization: 
          enabled: true
          rules: 
          - GET /metrics/streams => hasRole('ROLE_APP_MYAPPLICATION_AUTHZ_VIEW')
          - POST /apps/** => hasRole('ROLE_APP_MYAPPLICATION_AUTHZ_CREATE')
          - etc, etc, etc

And so on, for all the endpoint authorizations.

However, I'm still receiving a message after successful authentication that I don't have the appropriate roles and I need to talk to my administrator.

What am I misconfiguring, or what am I missing in this setup?

Update

I downloaded the source code for the 1.2.1.RELEASE version of the spring cloud dataflow ui from here: GitHub spring-cloud-dataflow-ui

And discovered that in all the .html view files, the role names are hard-coded for ROLE_VIEW, ROLE_CREATE, ROLE_MANAGE. Thus, it looks like my configuration will allow me to customize the authorization on the REST endpoints based on my LDAP group names, but I will not be able to do the same with the actual UI views. I think I have one option here, which would be to build/generate my own custom version of the UI, and bundle that with the spring-cloud-dataflow-server JAR instead of using the OOTB ui.

I'll have to weigh whether I really want to do that.

1
spring-securityspring-cloud-dataflow

1 Answers

0
votes

We don't yet have the direct mapping of LDAP AD Groups <-> SCDF Roles. We haven't had anyone from the community or customers' ask for this integration, though. UAA backed OAuth turns out to be the popular choice in PCF so far.

That said, I created spring-cloud/spring-cloud-dataflow#2084 to track the support for group mapping. It could be trivial to implement it (Group vs. ROLE mapping in YAML and parsing logic in the backend code); I marked it for 1.5, but we may pick it up sooner for the 1.4 release next week.

I'd recommend not venturing into adjusting the UI code directly, though. Too much on the local fork and you'll have to maintain it.