GitHub user prabhjyotsingh opened a pull request:
https://github.com/apache/zeppelin/pull/986
[Zeppelin 946] [WIP] Permissions not honoring group
### What is this PR for?
Error:
Insufficient privileges to write notebook.
Allowed users or roles: [admin, zeppelinWrite]
But the user randerson belongs to: [randerson]
It's seems clear that user randerson isn't mapped to any roles, or groups
(even though he of course is a member of the zeppelinWrite group in AD and as a
result also part of the local admin Role). A TCPDUMP reveals that during login,
all of my group memberships are in fact returned during the ldap bind
operation. However, when I attempt to modify a notebook, a call is never made
to AD, to pull back my group memberships. It doesn't seem to look at my local
group memberships (/etc/group) either.
### What type of PR is it?
[Bug Fix]
### Todos
* [x] - fix for permissions not honoring group
* [x] - read roles from shiro.ini
* [x] - at times group name was displaying instead of user/principal name.
* [ ] - doc
### What is the Jira issue?
[ZEPPELIN-946](https://issues.apache.org/jira/browse/ZEPPELIN-946)
### How should this be tested?
Use one of the following setting for LDAP/AD in shiro.ini
[main]
activeDirectoryRealm =
org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = userNameA
activeDirectoryRealm.systemPassword = passwordA
activeDirectoryRealm.searchBase =
CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
activeDirectoryRealm.url = ldap://ldap.test.com:389
activeDirectoryRealm.groupRolesMap =
"CN=aGroupName,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"group1"
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
# search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] =
dc=COMPANY,dc=COM
ldapRealm.contextFactory.url = ldap://ldap.test.com:389
ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
[roles]
group1 = *
group2 = *
group3 = *
[urls]
/api/version = anon
#/** = anon
/** = authc
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? no
* Is there breaking changes for older versions? no
* Does this needs documentation? no
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/prabhjyotsingh/incubator-zeppelin ZEPPELIN-946
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/986.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #986
----
commit 4194f931f723f22331c3931cb5811d79b1ad1a78
Author: Prabhjyot Singh <[email protected]>
Date: 2016-06-09T11:51:11Z
sometime it dispalys groupName instead of principal
commit e8f1f97756d325f3f01545b02e889808b809740a
Author: Prabhjyot Singh <[email protected]>
Date: 2016-06-09T11:51:48Z
fix for permissions not honoring group
commit ed54a92194bdb52bac2be0e16d9d27272b2379b1
Author: Prabhjyot Singh <[email protected]>
Date: 2016-06-09T18:06:00Z
read roles from shiro.ini
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
