GitHub user sohaibiftikhar opened a pull request: https://github.com/apache/zeppelin/pull/2354
Allow group/role based authentication using LdapRealm [ZEPPELIN-2539] ### What is this PR for? Currently allowing authentication for selected roles/groups of an LDAP realm is not possible. The LDAPRealm allows for mapping of roles to groups but only allows authorization on URLs with respect to groups. No group based checks are carried out during authentication. This PR allows for group based authentication using LdapRealm. ### What type of PR is it? [Improvement] ### Todos * [ ] - Merge #932 - This PR also merges changes from 932 so that needs to be merged first. ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-2539 ### How should this be tested? Build and configure `shiro.ini` to use the LdapRealm and verify that the realm works as before along with the added functionality of allowing only certain user groups for authentication if the `allowedRolesForAuthentication` config is set in the init. If this configuration is absent authentication should work as before without verifying roles. A sample shiro.ini is pasted here for testing purposes. ``` [main] ldapRealm = org.apache.zeppelin.realm.LdapRealm ldapRealm.userDnTemplate = uid={0},ou=people,dc=my-company,dc=net ldapRealm.searchBase = dc=my-company,dc=net ldapRealm.userSearchBase = ou=people,dc=my-company,dc=net ldapRealm.groupSearchBase = ou=groups,dc=my-company,dc=net ldapRealm.contextFactory.url = ldaps://auth.my-company.net:636 ldapRealm.contextFactory.authenticationMechanism = simple ldapRealm.userObjectClass = posixAccount ldapRealm.groupObjectClass = posixGroup ldapRealm.authorizationEnabled = true ldapRealm.memberAttribute = memberUid ldapRealm.memberAttributeValueTemplate=uid={0},ou=people,dc=my-company,dc=net ldapRealm.rolesByGroup = GLOBAL_ADMINS:admin,HKG_USERS:user ldapRealm.allowedRolesForAuthentication = admin,user ldapRealm.userSearchAttributeName = uid sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager shiro.loginUrl = /api/login securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 securityManager.realms = $ldapRealm [urls] /api/version = anon /api/login = authc /api/login/logout = authc /** = authc, roles[admin,user] ``` ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? Y (documentation updated in PR) You can merge this pull request into a Git repository by running: $ git pull https://github.com/sohaibiftikhar/zeppelin ldaprealm Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/2354.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2354 ---- commit 9eef80cb71bd7f456145830eca59a635b4627b83 Author: Eric Charles <e...@datalayer.io> Date: 2016-05-30T15:50:51Z Replace CXF with Jersey2 commit dbac7d9cafc9d8496455b382949106fd94b9fc65 Author: Eric Charles <e...@datalayer.io> Date: 2016-05-30T15:55:37Z Fix code style commit d149a728eba1cbc2fd7ae2ee016cb71510286279 Author: Eric Charles <e...@datalayer.io> Date: 2016-05-30T16:13:53Z Ensure dependency convergence commit 99e45025b3a829b91b4532ea5dbba68ad7aa77b5 Author: Eric Charles <e...@datalayer.io> Date: 2016-06-02T09:21:39Z Merge branch 'master' into jersey2 commit a7b7a871c9627721e3ddfa6469aa670f08f87bc0 Author: Eric Charles <e...@datalayer.io> Date: 2016-06-02T11:27:41Z Remove remaining jersey1 dep commit f25b695b2c9ee1343a9e59a2a65584ac95c79a6f Author: Eric Charles <e...@datalayer.io> Date: 2016-06-14T09:47:56Z Merge branch 'master' into jersey2 commit 326819d0bbf89d30b1fcf9cdd2dd20c1e11e7769 Author: Eric Charles <e...@datalayer.io> Date: 2016-08-02T05:53:35Z Merge branch 'master' into jersey2 Conflicts: zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java commit 82d98672f2dc230e60b1dc2effbb6bfe83183f21 Author: Eric Charles <e...@datalayer.io> Date: 2016-08-02T11:39:40Z merge with master commit 587d3660a8857c169b7df411c43b2988ef21de8b Author: Eric Charles <e...@datalayer.io> Date: 2016-08-02T11:56:34Z Document jersey 2 license commit 7dafe84131d50659bdbd1b79efc622132644b574 Author: Eric Charles <e...@datalayer.io> Date: 2016-08-05T12:49:32Z Merge branch 'master' into jersey2 Conflicts: zeppelin-server/src/test/java/org/apache/zeppelin/socket/TestHttpServletRequest.java commit 0634977a896ea63b3b3a0d48716fa74761aa61bd Author: Eric Charles <e...@datalayer.io> Date: 2016-08-05T13:20:15Z Add more licenses commit c42d40c9b5b1b1162ba8217494aad0ecc6bab7e1 Author: Eric Charles <e...@datalayer.io> Date: 2016-08-17T14:46:27Z Move LICENSE-jersey-2 to zeppelin-distribution/src/bin_license commit d39c5aa092e6a7a866755ccc54f7ccfaba51402a Author: Eric Charles <e...@datalayer.io> Date: 2016-08-26T13:29:56Z Merge branch 'master' into jersey2 Conflicts: zeppelin-server/pom.xml commit 2881e5acbd84ac3582d223123032e97f3ef17c2f Author: Eric Charles <e...@datalayer.io> Date: 2016-08-26T14:14:36Z CDDL2 does not exist + get rid of javax.annotation released under JDL, it is shipped in JRE commit 1344a20d028d1182b7d7637755e5b04e35047411 Author: Eric Charles <e...@datalayer.io> Date: 2016-09-12T15:39:11Z Merge branch 'master' into jersey2 commit ebe7ebb336f182581df5e2c5d7df01308f88b367 Author: Eric Charles <e...@datalayer.io> Date: 2017-03-18T11:23:13Z Automatic message for commit of samedi 18 mars 2017, 11:23:13 (UTC+0000) commit 39543dec69555ec9968175ad6f8a36dcb7a28ae0 Author: Eric Charles <e...@datalayer.io> Date: 2017-03-25T13:03:02Z Merge branch 'master' of https://github.com/apache/zeppelin commit c908697ecd1846e44c0f380a1eb421925d4533bf Author: Eric Charles <e...@datalayer.io> Date: 2017-03-25T14:10:57Z merge with master commit 01dcc0967746a6e0fee5d9279fe0a60023a6d987 Author: Eric Charles <e...@datalayer.io> Date: 2017-03-25T14:29:59Z revert back to scala 2.10 commit ff04acaa7a6bfbc0112c19b5655142d7ef5b914d Author: Eric Charles <e...@datalayer.io> Date: 2017-04-06T13:00:05Z clean merged content in LICENSE file commit a5caf26b72744913fea36905fb295f9d2c5b5697 Author: Eric Charles <e...@datalayer.io> Date: 2017-04-09T06:09:42Z Merge branch 'master' into jersey2 commit 851dd576378c695439b168d027a8948e6f16ffc6 Author: Eric Charles <e...@datalayer.io> Date: 2017-04-16T08:11:05Z Merge branch 'master' into jersey2 commit 71c93b82199a4d2bd8f2b5d87171982e4bcc76e4 Author: Eric Charles <e...@datalayer.io> Date: 2017-04-16T08:22:28Z rename local cxfContext variable commit 62140765d7eb09ee3c6ce8813a52cf0842a2197d Author: Eric Charles <e...@datalayer.io> Date: 2017-04-18T15:50:50Z Merge branch 'master' into jersey2 commit 0099da58819d2e009abc01d4cee74aaa9a4d6234 Author: Eric Charles <e...@datalayer.io> Date: 2017-04-23T16:56:57Z Merge branch 'master' into jersey2 commit 624fc2510d8b02e220d5f448562d737dc0ab21a3 Author: Eric Charles <e...@datalayer.io> Date: 2017-05-03T10:22:53Z Merge branch 'master' into jersey2 commit 767f15a69e1b70d9561e1a1f59d385309e653a1e Author: Eric Charles <e...@datalayer.io> Date: 2017-05-04T07:19:13Z Merge branch 'master' into jersey2 commit a037c54c03316b4bb1e5d2a072c470811a50d446 Author: Sohaib Iftikhar <iftikhar.soh...@gmail.com> Date: 2017-05-19T12:55:40Z Merge branch 'jersey2' of https://github.com/datalayer/zeppelin commit 839680535eb74d2ff4948f8e0a685ec29117f54d Author: Sohaib Iftikhar <iftikhar.soh...@gmail.com> Date: 2017-05-19T13:04:18Z Added role based authentication(not to be confused with authorization) for shiro ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---