GitHub user gss2002 reopened a pull request:
https://github.com/apache/zeppelin/pull/1614
ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm:
Provides LdapRealm Functionality similar to Apache Knox
### What is this PR for?
ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm:
Provides LdapRealm Functionality similar to what Apache Knox provides. This is
critical as in large enterprise environments Active Directory Global Catalogs
are used for lookup with samAccountName and using a DN Template is not an
option as their are multiple OUs. Also searching on "userPrincipalName" is
risky in an AD environment since the explicit UPN vs Implicit UPN can be
different this is definitely the case with environments using Office 365. And
the LDAP userPrincipalName attribute is the explicit UPN which can be defined
by the directory administrator to any value and it can be duplicated.
SamAccountName is unique per domain and Microsoft states best practice is to
not allow duplicate samAccountName's across the forest.
In addition to the above changes I have adjusted and moved the
LdapGroupRealm and ActiveDirectoryGroupRealm into the org.apache.zeppelin.realm
package structure to make all Realm's consistent.
The LdapRealm class also works with role to group mapping for usage within
Zeppelin for notebook authorization.
I have adjusted SecurityUtils to use ClassName vs realmName in determining
what to use as you may have companies that decide to use their own custom
realmname in shiro.ini and may not realize you cannot so using className is
much safer.
Example - SecurityUtils
String name = realm.getClass().getName();
if (name.equals("org.apache.shiro.realm.text.IniRealm")) {
allRoles = ((IniRealm) realm).getIni().get("roles");
break;
} else if (name.equals("org.apache.zeppelin.realm.LdapRealm")) {
allRoles = ((LdapRealm) realm).getListRoles();
break;
}
Example - SecurityRestApi:
String name = realm.getClass().getName();
if (LOG.isDebugEnabled()) {
LOG.debug("RealmClass.getName: " + name);
}
if (name.equals("org.apache.shiro.realm.text.IniRealm")) {
usersList.addAll(getUserListObj.getUserList((IniRealm) realm));
rolesList.addAll(getUserListObj.getRolesList((IniRealm) realm));
} else if
(name.equals("org.apache.zeppelin.realm.LdapGroupRealm")) {
usersList.addAll(getUserListObj.getUserList((JndiLdapRealm)
realm, searchText));
} else if (name.equals("org.apache.zeppelin.realm.LdapRealm")) {
usersList.addAll(getUserListObj.getUserList((LdapRealm) realm,
searchText));
rolesList.addAll(getUserListObj.getRolesList((LdapRealm)
realm));
} else if
(name.equals("org.apache.zeppelin.realm.ActiveDirectoryGroupRealm")) {
usersList.addAll(getUserListObj.getUserList((ActiveDirectoryGroupRealm) realm,
searchText));
} else if (name.equals("org.apache.shiro.realm.jdbc.JdbcRealm")) {
usersList.addAll(getUserListObj.getUserList((JdbcRealm) realm));
}
Please see feedback from previous PRs related to this JIRA:
https://github.com/apache/zeppelin/pull/1513
### What type of PR is it?
[Improvement]
### Todos
* [ ] - Task
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-1472
### How should this be tested?
Update shiro.ini to use configuration similar to below:
# Sample LDAP configuration, for user Authentication, currently tested for
single Realm
[main]
ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm
ldapADGCRealm.contextFactory.systemUsername =
CN=hdplookup,OU=hadoop,DC=hdpusr,DC=senia,DC=org
ldapADGCRealm.contextFactory.systemPassword = ldapBindPassword
ldapADGCRealm.searchBase = dc=hdpusr,dc=senia,dc=org
ldapADGCRealm.userSearchBase = dc=hdpusr,dc=senia,dc=org
ldapADGCRealm.groupSearchBase = dc=hdpusr,dc=senia,dc=org
ldapADGCRealm.authorizationEnabled = true
ldapADGCRealm.contextFactory.url = ldap://seniadc1.hdpusr.senia.org:3268
ldapADGCRealm.userSearchAttributeName = sAMAccountName
ldapADGCRealm.contextFactory.authenticationMechanism = simple
ldapADGCRealm.groupObjectClass = group
ldapADGCRealm.memberAttribute = member
ldapADGCRealm.rolesByGroup = hdpeng: admin, \
hadoopusers: user
securityManager.realms = $ldapADGCRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *
user = *
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
#/api/version = anon
#/** = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/login = authc
/api/login/logout = authc
/api/security/ticket = authc
/** = authc, roles[admin, user]
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? n
* Is there breaking changes for older versions? n
* Does this needs documentation? y
merge latest commits
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gss2002/zeppelin ZEPPELIN-1472
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1614.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1614
----
commit 1702cc52c23aa0e20bf1b11ebb3ecce279efe3a1
Author: gss2002 <gse...@apache.org>
Date: 2016-11-08T16:26:11Z
Merge pull request #1 from apache/master
merge latest commits
commit 635deb3398fded9811c05caa688ba950ba7e8d1b
Author: gss2002 <g...@senia.org>
Date: 2016-11-08T18:14:46Z
ZEPPELIN-1472 - LdapRealm Additions based on Knox LdapRealm and support
of using roles with LdapRealms. Also adjusted to use className and not
actual name of the realm in shiro.ini. As using realmName in code could
cause problems for people who want to use alternate names. Also migrated
the LdapGroupRealm and ActiveDirectoryRealm to org.apache.zeppelin.realm
packages per a recommendation.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
