From 79a20846736ab7be4f6cb16b454eee985e343e8a Mon Sep 17 00:00:00 2001
From: Chuck Levesque <clevesque@cloudera.com>
Date: Wed, 15 Nov 2023 16:52:24 -0500
Subject: [PATCH 1/4] ldap search filters - allow literal expression

Older implementation assumed all ldap filters end with "={0}"
This newer implementation allows the user to craft any legal filter expression, including complex compound expressions, like
((&(member={0})(objectclass=posixgroup)(!(cn=admin)))
above is example IPA group search filter for ECS 1.5.x

Signed-off-by: Chuck Levesque <clevesque@cloudera.com>
---
 .../external_auth/external_auth_configs.j2    | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 roles/cloudera_manager/external_auth/external_auth_configs.j2

diff --git a/roles/cloudera_manager/external_auth/external_auth_configs.j2 b/roles/cloudera_manager/external_auth/external_auth_configs.j2
new file mode 100644
index 00000000..742d2a49
--- /dev/null
+++ b/roles/cloudera_manager/external_auth/external_auth_configs.j2
@@ -0,0 +1,37 @@
+{% if cloudera_manager_external_auth.external_only %}
+AUTH_BACKEND_ORDER: LDAP_ONLY
+{% elif cloudera_manager_external_auth.external_first %}
+AUTH_BACKEND_ORDER: LDAP_THEN_DB
+{% else %}
+AUTH_BACKEND_ORDER: DB_THEN_LDAP
+{% endif %}
+{% if cloudera_manager_external_auth.external_only %}
+AUTHORIZATION_BACKEND_ORDER: EXTERNAL_ONLY
+{% else %}
+AUTHORIZATION_BACKEND_ORDER: EXTERNAL_AND_DB
+{% endif %}
+LDAP_BIND_DN: {{ auth_provider.ldap_bind_user_dn | default(None) }}
+LDAP_BIND_PW: {{ auth_provider.ldap_bind_password | default(None) }}
+LDAP_DN_PATTERN: {{ auth_provider.ldap_dn_pattern | default(None) }}
+LDAP_GROUP_SEARCH_BASE: {{ auth_provider.ldap_search_base.group | default(None) }}
+{% if auth_provider.ldap_search_filter.group is defined %}
+LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_search_filter.group }}"
+{% else % }
+LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.member | default('member') }}={0})"
+{% endif %}
+LDAP_TYPE: {{ auth_provider.type | cloudera.cluster.to_ldap_type_enum | default(None) }}
+LDAP_URL: {{ auth_provider.ldap_url | default(None) }}
+LDAP_USER_SEARCH_BASE: {{ auth_provider.ldap_search_base.user | default(None) }}
+{% if auth_provider.ldap_search_filter.user is defined %}
+LDAP_USER_SEARCH_FILTER: "{{ auth_provider.ldap_search_filter.user }}"
+{% else % }
+LDAP_USER_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.user | default('sAMAccountName') }}={0})"
+{% endif %}
+NT_DOMAIN: {{ auth_provider.domain | default(None) }}
+{% if cloudera_manager_version is version('7.1.0','>=') %}
+FRONTEND_URL: {{ frontend_url | default(None) }}
+PROXYUSER_KNOX_GROUPS: "{{ proxyuser_knox_groups | default('*') }}"
+PROXYUSER_KNOX_USERS: "{{ proxyuser_knox_users | default('*') }}"
+PROXYUSER_KNOX_HOSTS: "{{ proxyuser_knox_hosts | default('*') }}"
+PROXYUSER_KNOX_PRINCIPAL: "{{ proxyuser_knox_principal | default('knox') }}"
+{% endif %}
\ No newline at end of file

From 10e4845c5fda744f992b450f62d26c5a6ee0f7ef Mon Sep 17 00:00:00 2001
From: Chuck Levesque <clevesque@cloudera.com>
Date: Mon, 4 Dec 2023 14:50:32 -0500
Subject: [PATCH 2/4] ldap search filters - allow literal expression

Older implementation assumed all ldap filters end with "={0}"
This newer implementation allows the user to craft any legal filter expression, including complex compound expressions, like
((&(member={0})(objectclass=posixgroup)(!(cn=admin)))
above is example IPA group search filter for ECS 1.5.x

Signed-off-by: Chuck Levesque <clevesque@cloudera.com>
---
 .../external_auth/external_auth_configs.j2    | 37 -------------------
 .../templates/external_auth_configs.j2        |  8 ++++
 2 files changed, 8 insertions(+), 37 deletions(-)
 delete mode 100644 roles/cloudera_manager/external_auth/external_auth_configs.j2

diff --git a/roles/cloudera_manager/external_auth/external_auth_configs.j2 b/roles/cloudera_manager/external_auth/external_auth_configs.j2
deleted file mode 100644
index 742d2a49..00000000
--- a/roles/cloudera_manager/external_auth/external_auth_configs.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-{% if cloudera_manager_external_auth.external_only %}
-AUTH_BACKEND_ORDER: LDAP_ONLY
-{% elif cloudera_manager_external_auth.external_first %}
-AUTH_BACKEND_ORDER: LDAP_THEN_DB
-{% else %}
-AUTH_BACKEND_ORDER: DB_THEN_LDAP
-{% endif %}
-{% if cloudera_manager_external_auth.external_only %}
-AUTHORIZATION_BACKEND_ORDER: EXTERNAL_ONLY
-{% else %}
-AUTHORIZATION_BACKEND_ORDER: EXTERNAL_AND_DB
-{% endif %}
-LDAP_BIND_DN: {{ auth_provider.ldap_bind_user_dn | default(None) }}
-LDAP_BIND_PW: {{ auth_provider.ldap_bind_password | default(None) }}
-LDAP_DN_PATTERN: {{ auth_provider.ldap_dn_pattern | default(None) }}
-LDAP_GROUP_SEARCH_BASE: {{ auth_provider.ldap_search_base.group | default(None) }}
-{% if auth_provider.ldap_search_filter.group is defined %}
-LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_search_filter.group }}"
-{% else % }
-LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.member | default('member') }}={0})"
-{% endif %}
-LDAP_TYPE: {{ auth_provider.type | cloudera.cluster.to_ldap_type_enum | default(None) }}
-LDAP_URL: {{ auth_provider.ldap_url | default(None) }}
-LDAP_USER_SEARCH_BASE: {{ auth_provider.ldap_search_base.user | default(None) }}
-{% if auth_provider.ldap_search_filter.user is defined %}
-LDAP_USER_SEARCH_FILTER: "{{ auth_provider.ldap_search_filter.user }}"
-{% else % }
-LDAP_USER_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.user | default('sAMAccountName') }}={0})"
-{% endif %}
-NT_DOMAIN: {{ auth_provider.domain | default(None) }}
-{% if cloudera_manager_version is version('7.1.0','>=') %}
-FRONTEND_URL: {{ frontend_url | default(None) }}
-PROXYUSER_KNOX_GROUPS: "{{ proxyuser_knox_groups | default('*') }}"
-PROXYUSER_KNOX_USERS: "{{ proxyuser_knox_users | default('*') }}"
-PROXYUSER_KNOX_HOSTS: "{{ proxyuser_knox_hosts | default('*') }}"
-PROXYUSER_KNOX_PRINCIPAL: "{{ proxyuser_knox_principal | default('knox') }}"
-{% endif %}
\ No newline at end of file
diff --git a/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2 b/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
index 18cf21d5..742d2a49 100644
--- a/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
+++ b/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
@@ -14,11 +14,19 @@ LDAP_BIND_DN: {{ auth_provider.ldap_bind_user_dn | default(None) }}
 LDAP_BIND_PW: {{ auth_provider.ldap_bind_password | default(None) }}
 LDAP_DN_PATTERN: {{ auth_provider.ldap_dn_pattern | default(None) }}
 LDAP_GROUP_SEARCH_BASE: {{ auth_provider.ldap_search_base.group | default(None) }}
+{% if auth_provider.ldap_search_filter.group is defined %}
+LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_search_filter.group }}"
+{% else % }
 LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.member | default('member') }}={0})"
+{% endif %}
 LDAP_TYPE: {{ auth_provider.type | cloudera.cluster.to_ldap_type_enum | default(None) }}
 LDAP_URL: {{ auth_provider.ldap_url | default(None) }}
 LDAP_USER_SEARCH_BASE: {{ auth_provider.ldap_search_base.user | default(None) }}
+{% if auth_provider.ldap_search_filter.user is defined %}
+LDAP_USER_SEARCH_FILTER: "{{ auth_provider.ldap_search_filter.user }}"
+{% else % }
 LDAP_USER_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.user | default('sAMAccountName') }}={0})"
+{% endif %}
 NT_DOMAIN: {{ auth_provider.domain | default(None) }}
 {% if cloudera_manager_version is version('7.1.0','>=') %}
 FRONTEND_URL: {{ frontend_url | default(None) }}

From f296be50cf256c2bcf657f529f5f88bf5d0494c0 Mon Sep 17 00:00:00 2001
From: Chuck Levesque <clevesque@cloudera.com>
Date: Mon, 4 Dec 2023 16:15:53 -0500
Subject: [PATCH 3/4] ldap search filters - allow literal expression

Older implementation assumed all ldap filters end with "={0}"
This newer implementation allows the user to craft any legal filter expression, including complex compound expressions, like
((&(member={0})(objectclass=posixgroup)(!(cn=admin)))
above is example IPA group search filter for ECS 1.5.x

Signed-off-by: Chuck Levesque <clevesque@cloudera.com>
---
 .../external_auth/templates/external_auth_configs.j2          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2 b/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
index 742d2a49..5e1e353c 100644
--- a/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
+++ b/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
@@ -16,7 +16,7 @@ LDAP_DN_PATTERN: {{ auth_provider.ldap_dn_pattern | default(None) }}
 LDAP_GROUP_SEARCH_BASE: {{ auth_provider.ldap_search_base.group | default(None) }}
 {% if auth_provider.ldap_search_filter.group is defined %}
 LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_search_filter.group }}"
-{% else % }
+{% else %}
 LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.member | default('member') }}={0})"
 {% endif %}
 LDAP_TYPE: {{ auth_provider.type | cloudera.cluster.to_ldap_type_enum | default(None) }}
@@ -34,4 +34,4 @@ PROXYUSER_KNOX_GROUPS: "{{ proxyuser_knox_groups | default('*') }}"
 PROXYUSER_KNOX_USERS: "{{ proxyuser_knox_users | default('*') }}"
 PROXYUSER_KNOX_HOSTS: "{{ proxyuser_knox_hosts | default('*') }}"
 PROXYUSER_KNOX_PRINCIPAL: "{{ proxyuser_knox_principal | default('knox') }}"
-{% endif %}
\ No newline at end of file
+{% endif %}

From 5d2ed4722274e990d9f05b78fe42341fe3d67650 Mon Sep 17 00:00:00 2001
From: Chuck Levesque <clevesque@cloudera.com>
Date: Tue, 5 Dec 2023 15:20:25 -0500
Subject: [PATCH 4/4] ldap search filters - allow literal expression

Older implementation assumed all ldap filters end with "={0}"
This newer implementation allows the user to craft any legal filter expression, including complex compound expressions, like
((&(member={0})(objectclass=posixgroup)(!(cn=admin)))
above is example IPA group search filter for ECS 1.5.x

Signed-off-by: Chuck Levesque <clevesque@cloudera.com>
---
 .../external_auth/templates/external_auth_configs.j2            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2 b/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
index 5e1e353c..da50dbaf 100644
--- a/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
+++ b/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
@@ -15,7 +15,7 @@ LDAP_BIND_PW: {{ auth_provider.ldap_bind_password | default(None) }}
 LDAP_DN_PATTERN: {{ auth_provider.ldap_dn_pattern | default(None) }}
 LDAP_GROUP_SEARCH_BASE: {{ auth_provider.ldap_search_base.group | default(None) }}
 {% if auth_provider.ldap_search_filter.group is defined %}
-LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_search_filter.group }}"
+LDAP_GROUP_SEARCH_FILTER: "{{ auth_provider.ldap_search_filter.group }}"
 {% else %}
 LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.member | default('member') }}={0})"
 {% endif %}