GitHub user prabhjyotsingh reopened a pull request:
https://github.com/apache/zeppelin/pull/2405
[ZEPPELIN-2640] Roles are not getting honored from shiro_ini for setting
permissions in Zeppelin notebook
### What is this PR for?
Roles are not getting honored from shiro_ini for setting permissions in
Zeppelin notebook when securityManager.realm is set to $activeDirectoryRealm
### What type of PR is it?
[Bug Fix]
### Todos
* [x] - Create JIRA
### What is the Jira issue?
* [ZEPPELIN-2640](https://issues.apache.org/jira/browse/ZEPPELIN-2640)
### How should this be tested?
Use the below-attached shiro.ini, the thing which is different is
`securityManager.realm = $activeDirectoryRealm`. When this is used, Zeppelin
does not set the roles that were assigned to that particular user.
```
[main]
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername =
CN=Administrator,CN=Users,DC=COMPANY,DC=COM
activeDirectoryRealm.systemPassword = Password1!
activeDirectoryRealm.searchBase = CN=Users,DC=COMPANY,DC=COM
activeDirectoryRealm.url = ldap://ad-nano.mydomain.com:389
activeDirectoryRealm.groupRolesMap =
"CN=zeppelin,OU=groups,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=COMPANY,DC=COM":"finance"
activeDirectoryRealm.authorizationCachingEnabled = true
securityManager.realm = $activeDirectoryRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[urls]
/api/version = anon
/** = authc
```
So, before this PR if you `tail -f
zeppelin-<username>-<machine-name>.local.log` in the log you will see this line
` WARN [2017-06-12 12:42:06,620] ({qtp226744878-19}
LoginRestApi.java[postLogin]:119) -
{"status":"OK","message":"","body":{"principal":"zeppelin","ticket":"4b1e513f-7736-4474-b2d6-259ff3d39f91","roles":"[]"}}`
And after applying this PR you will be able to see the role that got
assigned to this user i.e.
` WARN [2017-06-12 12:42:06,620] ({qtp226744878-19}
LoginRestApi.java[postLogin]:119) -
{"status":"OK","message":"","body":{"principal":"zeppelin","ticket":"4b1e513f-7736-4474-b2d6-259ff3d39f91","roles":"[admin]"}}`
### Screenshots (if appropriate)
N/A
### Questions:
* Does the licenses files need update? N/A
* Is there breaking changes for older versions? N/A
* Does this needs documentation? N/A
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/prabhjyotsingh/zeppelin
bug/securityManagerActiveDirectory
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/2405.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2405
----
commit 9439ac8a7100438ed05c52b9eac4e0c05079a9e8
Author: Prabhjyot Singh <[email protected]>
Date: 2017-06-12T07:09:02Z
fix when securityManager.realm is set to $activeDirectoryRealm
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
