GitHub user sohaibiftikhar opened a pull request:
https://github.com/apache/zeppelin/pull/2354
Allow group/role based authentication using LdapRealm [ZEPPELIN-2539]
### What is this PR for?
Currently allowing authentication for selected roles/groups of an LDAP
realm is not possible. The LDAPRealm allows for mapping of roles to groups but
only allows authorization on URLs with respect to groups. No group based checks
are carried out during authentication. This PR allows for group based
authentication using LdapRealm.
### What type of PR is it?
[Improvement]
### Todos
* [ ] - Merge #932 - This PR also merges changes from 932 so that needs to
be merged first.
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2539
### How should this be tested?
Build and configure `shiro.ini` to use the LdapRealm and verify that the
realm works as before along with the added functionality of allowing only
certain user groups for authentication if the `allowedRolesForAuthentication`
config is set in the init. If this configuration is absent authentication
should work as before without verifying roles. A sample shiro.ini is pasted
here for testing purposes.
```
[main]
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.userDnTemplate = uid={0},ou=people,dc=my-company,dc=net
ldapRealm.searchBase = dc=my-company,dc=net
ldapRealm.userSearchBase = ou=people,dc=my-company,dc=net
ldapRealm.groupSearchBase = ou=groups,dc=my-company,dc=net
ldapRealm.contextFactory.url = ldaps://auth.my-company.net:636
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.userObjectClass = posixAccount
ldapRealm.groupObjectClass = posixGroup
ldapRealm.authorizationEnabled = true
ldapRealm.memberAttribute = memberUid
ldapRealm.memberAttributeValueTemplate=uid={0},ou=people,dc=my-company,dc=net
ldapRealm.rolesByGroup = GLOBAL_ADMINS:admin,HKG_USERS:user
ldapRealm.allowedRolesForAuthentication = admin,user
ldapRealm.userSearchAttributeName = uid
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
shiro.loginUrl = /api/login
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.realms = $ldapRealm
[urls]
/api/version = anon
/api/login = authc
/api/login/logout = authc
/** = authc, roles[admin,user]
```
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Y (documentation updated in PR)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/sohaibiftikhar/zeppelin ldaprealm
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/2354.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2354
----
commit 9eef80cb71bd7f456145830eca59a635b4627b83
Author: Eric Charles <[email protected]>
Date: 2016-05-30T15:50:51Z
Replace CXF with Jersey2
commit dbac7d9cafc9d8496455b382949106fd94b9fc65
Author: Eric Charles <[email protected]>
Date: 2016-05-30T15:55:37Z
Fix code style
commit d149a728eba1cbc2fd7ae2ee016cb71510286279
Author: Eric Charles <[email protected]>
Date: 2016-05-30T16:13:53Z
Ensure dependency convergence
commit 99e45025b3a829b91b4532ea5dbba68ad7aa77b5
Author: Eric Charles <[email protected]>
Date: 2016-06-02T09:21:39Z
Merge branch 'master' into jersey2
commit a7b7a871c9627721e3ddfa6469aa670f08f87bc0
Author: Eric Charles <[email protected]>
Date: 2016-06-02T11:27:41Z
Remove remaining jersey1 dep
commit f25b695b2c9ee1343a9e59a2a65584ac95c79a6f
Author: Eric Charles <[email protected]>
Date: 2016-06-14T09:47:56Z
Merge branch 'master' into jersey2
commit 326819d0bbf89d30b1fcf9cdd2dd20c1e11e7769
Author: Eric Charles <[email protected]>
Date: 2016-08-02T05:53:35Z
Merge branch 'master' into jersey2
Conflicts:
zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
commit 82d98672f2dc230e60b1dc2effbb6bfe83183f21
Author: Eric Charles <[email protected]>
Date: 2016-08-02T11:39:40Z
merge with master
commit 587d3660a8857c169b7df411c43b2988ef21de8b
Author: Eric Charles <[email protected]>
Date: 2016-08-02T11:56:34Z
Document jersey 2 license
commit 7dafe84131d50659bdbd1b79efc622132644b574
Author: Eric Charles <[email protected]>
Date: 2016-08-05T12:49:32Z
Merge branch 'master' into jersey2
Conflicts:
zeppelin-server/src/test/java/org/apache/zeppelin/socket/TestHttpServletRequest.java
commit 0634977a896ea63b3b3a0d48716fa74761aa61bd
Author: Eric Charles <[email protected]>
Date: 2016-08-05T13:20:15Z
Add more licenses
commit c42d40c9b5b1b1162ba8217494aad0ecc6bab7e1
Author: Eric Charles <[email protected]>
Date: 2016-08-17T14:46:27Z
Move LICENSE-jersey-2 to zeppelin-distribution/src/bin_license
commit d39c5aa092e6a7a866755ccc54f7ccfaba51402a
Author: Eric Charles <[email protected]>
Date: 2016-08-26T13:29:56Z
Merge branch 'master' into jersey2
Conflicts:
zeppelin-server/pom.xml
commit 2881e5acbd84ac3582d223123032e97f3ef17c2f
Author: Eric Charles <[email protected]>
Date: 2016-08-26T14:14:36Z
CDDL2 does not exist + get rid of javax.annotation released under JDL, it
is shipped in JRE
commit 1344a20d028d1182b7d7637755e5b04e35047411
Author: Eric Charles <[email protected]>
Date: 2016-09-12T15:39:11Z
Merge branch 'master' into jersey2
commit ebe7ebb336f182581df5e2c5d7df01308f88b367
Author: Eric Charles <[email protected]>
Date: 2017-03-18T11:23:13Z
Automatic message for commit of samedi 18 mars 2017, 11:23:13 (UTC+0000)
commit 39543dec69555ec9968175ad6f8a36dcb7a28ae0
Author: Eric Charles <[email protected]>
Date: 2017-03-25T13:03:02Z
Merge branch 'master' of https://github.com/apache/zeppelin
commit c908697ecd1846e44c0f380a1eb421925d4533bf
Author: Eric Charles <[email protected]>
Date: 2017-03-25T14:10:57Z
merge with master
commit 01dcc0967746a6e0fee5d9279fe0a60023a6d987
Author: Eric Charles <[email protected]>
Date: 2017-03-25T14:29:59Z
revert back to scala 2.10
commit ff04acaa7a6bfbc0112c19b5655142d7ef5b914d
Author: Eric Charles <[email protected]>
Date: 2017-04-06T13:00:05Z
clean merged content in LICENSE file
commit a5caf26b72744913fea36905fb295f9d2c5b5697
Author: Eric Charles <[email protected]>
Date: 2017-04-09T06:09:42Z
Merge branch 'master' into jersey2
commit 851dd576378c695439b168d027a8948e6f16ffc6
Author: Eric Charles <[email protected]>
Date: 2017-04-16T08:11:05Z
Merge branch 'master' into jersey2
commit 71c93b82199a4d2bd8f2b5d87171982e4bcc76e4
Author: Eric Charles <[email protected]>
Date: 2017-04-16T08:22:28Z
rename local cxfContext variable
commit 62140765d7eb09ee3c6ce8813a52cf0842a2197d
Author: Eric Charles <[email protected]>
Date: 2017-04-18T15:50:50Z
Merge branch 'master' into jersey2
commit 0099da58819d2e009abc01d4cee74aaa9a4d6234
Author: Eric Charles <[email protected]>
Date: 2017-04-23T16:56:57Z
Merge branch 'master' into jersey2
commit 624fc2510d8b02e220d5f448562d737dc0ab21a3
Author: Eric Charles <[email protected]>
Date: 2017-05-03T10:22:53Z
Merge branch 'master' into jersey2
commit 767f15a69e1b70d9561e1a1f59d385309e653a1e
Author: Eric Charles <[email protected]>
Date: 2017-05-04T07:19:13Z
Merge branch 'master' into jersey2
commit a037c54c03316b4bb1e5d2a072c470811a50d446
Author: Sohaib Iftikhar <[email protected]>
Date: 2017-05-19T12:55:40Z
Merge branch 'jersey2' of https://github.com/datalayer/zeppelin
commit 839680535eb74d2ff4948f8e0a685ec29117f54d
Author: Sohaib Iftikhar <[email protected]>
Date: 2017-05-19T13:04:18Z
Added role based authentication(not to be confused with authorization) for
shiro
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
