KNOX-3328: Implement recursive group resolution for LDAP proxy

.github/workflows/build/Dockerfile.local

@@ -60,6 +60,7 @@ ADD conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml
 ADD conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml
 ADD conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml
 ADD conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml
+ADD conf/users.ldif /knox-runtime/conf/users.ldif
 
 
 RUN chown -R gateway /knox-runtime/

.github/workflows/build/conf/topologies/knoxldap.xml

@@ -35,7 +35,7 @@ limitations under the License.
 			</param>
 			<param>
 				<name>main.ldapRealm.contextFactory.url</name>
-				<value>ldap://ldap:33389</value>
+				<value>ldap://localhost:33389</value>
 			</param>
 			<param>
 				<name>main.ldapRealm.contextFactory.authenticationMechanism</name>

.github/workflows/build/conf/users.ldif

@@ -0,0 +1,86 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+
+dn: dc=hadoop,dc=apache,dc=org
+objectclass: organization
+objectclass: dcObject
+o: Hadoop at Apache.org
+dc: hadoop
+description: Makers of Hadoop
+
+# entry for the people container
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# entry for group container
+dn: ou=groups,dc=hadoop,dc=apache,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
+
+dn: cn=group1,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:groupOfNames
+cn: group1
+member: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+
+dn: cn=group2,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:groupOfNames
+cn: group2
+member: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+
+dn: cn=recursive-leaf,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:groupOfNames
+cn: recursive-leaf
+member: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+
+dn: cn=recursive-mid,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:groupOfNames
+cn: recursive-mid
+member: cn=recursive-leaf,ou=groups,dc=hadoop,dc=apache,dc=org
+
+dn: cn=recursive-top,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:groupOfNames
+cn: recursive-top
+member: cn=recursive-mid,ou=groups,dc=hadoop,dc=apache,dc=org
+
+dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Guest
+sn: User
+uid: guest
+userPassword:guest-password
+
+dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Admin
+sn: User
+uid: admin
+userPassword:admin-password

.github/workflows/build/gateway-site.xml

@@ -160,4 +160,60 @@ limitations under the License.
         <value>max-age=300; includeSubDomains</value>
     </property>
 
+    <!-- KnoxLDAP Service Configuration -->
+    <property>
+        <name>gateway.ldap.enabled</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>gateway.ldap.port</name>
+        <value>33389</value>
+    </property>
+    <property>
+        <name>gateway.ldap.base.dn</name>
+        <value>dc=hadoop,dc=apache,dc=org</value>
+    </property>
+    <property>
+        <name>gateway.ldap.backend.type</name>
+        <value>ldap</value>
+    </property>
+    <property>
+        <name>gateway.ldap.recursive.group.resolution</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>gateway.ldap.group.max.depth</name>
+        <value>10</value>
+    </property>
+
+    <!-- LDAP Backend specific configuration (proxying to demo ldap) -->
+    <property>
+        <name>gateway.ldap.backend.ldap.url</name>
+        <value>ldap://ldap:33389</value>
+    </property>
+    <property>
+        <name>gateway.ldap.backend.ldap.remoteBaseDn</name>
+        <value>dc=hadoop,dc=apache,dc=org</value>
+    </property>
+    <property>
+        <name>gateway.ldap.backend.ldap.systemUsername</name>
+        <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
+    </property>
+    <property>
+        <name>gateway.ldap.backend.ldap.systemPassword</name>
+        <value>guest-password</value>
+    </property>
+    <property>
+        <name>gateway.ldap.backend.ldap.userSearchBase</name>
+        <value>ou=people,dc=hadoop,dc=apache,dc=org</value>
+    </property>
+    <property>
+        <name>gateway.ldap.backend.ldap.groupSearchBase</name>
+        <value>ou=groups,dc=hadoop,dc=apache,dc=org</value>
+    </property>
+    <property>
+        <name>gateway.ldap.backend.ldap.groupMemberAttribute</name>
+        <value>member</value>
+    </property>
+
 </configuration>

.github/workflows/tests/test_knox_auth_service_and_LDAP.py

@@ -53,6 +53,17 @@ def test_auth_service_guest(self):
         self.assertEqual(response.headers[actor_id_header], 'guest')
         print(f"Verified {actor_id_header}: {response.headers[actor_id_header]}")
 
+        # Check for groups (recursive)
+        prefix = 'x-knox-actor-groups'
+        all_groups = collect_actor_group_values(response, prefix=prefix)
+        self.assertTrue(len(all_groups) > 0, f"No headers found starting with {prefix}")
+
+        expected_groups = ['group1', 'group2', 'recursive-leaf', 'recursive-mid', 'recursive-top']
+        print(f"Found groups: {all_groups}")
+        for group in expected_groups:
+            self.assertIn(group, all_groups)
+        print(f"Verified all expected recursive groups for guest")
+
     def test_auth_service_admin_groups(self):
         """
         Verify that admin user gets actor ID and group headers.

gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java

@@ -1764,6 +1764,16 @@ public String getLDAPBackendDataFile() {
     return getGatewayDataDir() + File.separator + "ldap-users.json";
   }
 
+  @Override
+  public boolean isLDAPRecursiveGroupResolutionEnabled() {
+    return Boolean.parseBoolean(get(LDAP_RECURSIVE_GROUP_RESOLUTION, "false"));
+  }
+
+  @Override
+  public int getLDAPGroupMaxDepth() {
+    return Integer.parseInt(get(LDAP_GROUP_MAX_DEPTH, "10"));
+  }
+
   @Override
   public Set<String> getPropertyNames() {
     Set<String> names = new HashSet<>();

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/KnoxLDAPServerManager.java

@@ -153,6 +153,10 @@ public void start() throws Exception {
     public void stop() throws Exception {
         LOG.ldapServiceStopping(port);
 
+        if (backend != null) {
+            backend.close();
+        }
+
         if (ldapServer != null) {
             try {
                 ldapServer.stop();

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/KnoxLDAPService.java

@@ -61,6 +61,8 @@ public void init(GatewayConfig config, Map<String, String> options) throws Servi
 
             // Add common configuration
             backendConfig.put("baseDn", baseDn);
+            backendConfig.put("recursiveGroupResolution", String.valueOf(config.isLDAPRecursiveGroupResolutionEnabled()));
+            backendConfig.put("groupMaxDepth", String.valueOf(config.getLDAPGroupMaxDepth()));
 
             // Add legacy dataFile property for backwards compatibility with file backend
             if ("file".equalsIgnoreCase(backendType) && !backendConfig.containsKey("dataFile")) {

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/backend/FileBackend.java

@@ -141,4 +141,9 @@ public List<Entry> searchUsers(String filter, SchemaManager schemaManager) throw
 
         return results;
     }
+
+    @Override
+    public void close() {
+        //NOP
+    }
 }

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/backend/LdapBackend.java

@@ -65,4 +65,9 @@ public interface LdapBackend {
      * @return List of matching entries
      */
     List<Entry> searchUsers(String filter, SchemaManager schemaManager) throws Exception;
+
+    /**
+     * Closing underlying resources on the backend, if any
+     */
+    void close();
 }