[GitHub] zeppelin pull request #2354: Allow group/role based authentication using Lda...

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2354: Allow group/role based authentication using Lda...

zjffdu
GitHub user sohaibiftikhar opened a pull request:

    https://github.com/apache/zeppelin/pull/2354

    Allow group/role based authentication using LdapRealm [ZEPPELIN-2539]

    ### What is this PR for?
    Currently allowing authentication for selected roles/groups of an LDAP realm is not possible. The LDAPRealm allows for mapping of roles to groups but only allows authorization on URLs with respect to groups. No group based checks are carried out during authentication. This PR allows for group based authentication using LdapRealm.
   
    ### What type of PR is it?
    [Improvement]
   
    ### Todos
    * [ ] - Merge #932 - This PR also merges changes from 932 so that needs to be merged first.
   
    ### What is the Jira issue?
    https://issues.apache.org/jira/browse/ZEPPELIN-2539
   
    ### How should this be tested?
    Build and configure `shiro.ini` to use the LdapRealm and verify that the realm works as before along with the added functionality of allowing only certain user groups for authentication if the `allowedRolesForAuthentication` config is set in the init. If this configuration is absent authentication should work as before without verifying roles. A sample shiro.ini is pasted here for testing purposes.
   
    ```
    [main]
    ldapRealm = org.apache.zeppelin.realm.LdapRealm
    ldapRealm.userDnTemplate = uid={0},ou=people,dc=my-company,dc=net
    ldapRealm.searchBase = dc=my-company,dc=net
    ldapRealm.userSearchBase = ou=people,dc=my-company,dc=net
    ldapRealm.groupSearchBase = ou=groups,dc=my-company,dc=net
    ldapRealm.contextFactory.url = ldaps://auth.my-company.net:636
    ldapRealm.contextFactory.authenticationMechanism = simple
    ldapRealm.userObjectClass = posixAccount
    ldapRealm.groupObjectClass = posixGroup
    ldapRealm.authorizationEnabled = true
    ldapRealm.memberAttribute = memberUid
    ldapRealm.memberAttributeValueTemplate=uid={0},ou=people,dc=my-company,dc=net
    ldapRealm.rolesByGroup = GLOBAL_ADMINS:admin,HKG_USERS:user
    ldapRealm.allowedRolesForAuthentication = admin,user
    ldapRealm.userSearchAttributeName = uid
    sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
    shiro.loginUrl = /api/login
    securityManager.sessionManager = $sessionManager
    securityManager.sessionManager.globalSessionTimeout = 86400000
    securityManager.realms = $ldapRealm
   
    [urls]
    /api/version = anon
    /api/login = authc
    /api/login/logout = authc
    /** = authc, roles[admin,user]
    ```
   
    ### Screenshots (if appropriate)
   
    ### Questions:
    * Does the licenses files need update? No
    * Is there breaking changes for older versions? No
    * Does this needs documentation? Y (documentation updated in PR)


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/sohaibiftikhar/zeppelin ldaprealm

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2354.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2354
   
----
commit 9eef80cb71bd7f456145830eca59a635b4627b83
Author: Eric Charles <[hidden email]>
Date:   2016-05-30T15:50:51Z

    Replace CXF with Jersey2

commit dbac7d9cafc9d8496455b382949106fd94b9fc65
Author: Eric Charles <[hidden email]>
Date:   2016-05-30T15:55:37Z

    Fix code style

commit d149a728eba1cbc2fd7ae2ee016cb71510286279
Author: Eric Charles <[hidden email]>
Date:   2016-05-30T16:13:53Z

    Ensure dependency convergence

commit 99e45025b3a829b91b4532ea5dbba68ad7aa77b5
Author: Eric Charles <[hidden email]>
Date:   2016-06-02T09:21:39Z

    Merge branch 'master' into jersey2

commit a7b7a871c9627721e3ddfa6469aa670f08f87bc0
Author: Eric Charles <[hidden email]>
Date:   2016-06-02T11:27:41Z

    Remove remaining jersey1 dep

commit f25b695b2c9ee1343a9e59a2a65584ac95c79a6f
Author: Eric Charles <[hidden email]>
Date:   2016-06-14T09:47:56Z

    Merge branch 'master' into jersey2

commit 326819d0bbf89d30b1fcf9cdd2dd20c1e11e7769
Author: Eric Charles <[hidden email]>
Date:   2016-08-02T05:53:35Z

    Merge branch 'master' into jersey2
   
    Conflicts:
    zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java

commit 82d98672f2dc230e60b1dc2effbb6bfe83183f21
Author: Eric Charles <[hidden email]>
Date:   2016-08-02T11:39:40Z

    merge with master

commit 587d3660a8857c169b7df411c43b2988ef21de8b
Author: Eric Charles <[hidden email]>
Date:   2016-08-02T11:56:34Z

    Document jersey 2 license

commit 7dafe84131d50659bdbd1b79efc622132644b574
Author: Eric Charles <[hidden email]>
Date:   2016-08-05T12:49:32Z

    Merge branch 'master' into jersey2
   
    Conflicts:
    zeppelin-server/src/test/java/org/apache/zeppelin/socket/TestHttpServletRequest.java

commit 0634977a896ea63b3b3a0d48716fa74761aa61bd
Author: Eric Charles <[hidden email]>
Date:   2016-08-05T13:20:15Z

    Add more licenses

commit c42d40c9b5b1b1162ba8217494aad0ecc6bab7e1
Author: Eric Charles <[hidden email]>
Date:   2016-08-17T14:46:27Z

    Move LICENSE-jersey-2 to zeppelin-distribution/src/bin_license

commit d39c5aa092e6a7a866755ccc54f7ccfaba51402a
Author: Eric Charles <[hidden email]>
Date:   2016-08-26T13:29:56Z

    Merge branch 'master' into jersey2
   
    Conflicts:
    zeppelin-server/pom.xml

commit 2881e5acbd84ac3582d223123032e97f3ef17c2f
Author: Eric Charles <[hidden email]>
Date:   2016-08-26T14:14:36Z

    CDDL2 does not exist + get rid of javax.annotation released under JDL, it is shipped in JRE

commit 1344a20d028d1182b7d7637755e5b04e35047411
Author: Eric Charles <[hidden email]>
Date:   2016-09-12T15:39:11Z

    Merge branch 'master' into jersey2

commit ebe7ebb336f182581df5e2c5d7df01308f88b367
Author: Eric Charles <[hidden email]>
Date:   2017-03-18T11:23:13Z

    Automatic message for commit of samedi 18 mars 2017, 11:23:13 (UTC+0000)

commit 39543dec69555ec9968175ad6f8a36dcb7a28ae0
Author: Eric Charles <[hidden email]>
Date:   2017-03-25T13:03:02Z

    Merge branch 'master' of https://github.com/apache/zeppelin

commit c908697ecd1846e44c0f380a1eb421925d4533bf
Author: Eric Charles <[hidden email]>
Date:   2017-03-25T14:10:57Z

    merge with master

commit 01dcc0967746a6e0fee5d9279fe0a60023a6d987
Author: Eric Charles <[hidden email]>
Date:   2017-03-25T14:29:59Z

    revert back to scala 2.10

commit ff04acaa7a6bfbc0112c19b5655142d7ef5b914d
Author: Eric Charles <[hidden email]>
Date:   2017-04-06T13:00:05Z

    clean merged content in LICENSE file

commit a5caf26b72744913fea36905fb295f9d2c5b5697
Author: Eric Charles <[hidden email]>
Date:   2017-04-09T06:09:42Z

    Merge branch 'master' into jersey2

commit 851dd576378c695439b168d027a8948e6f16ffc6
Author: Eric Charles <[hidden email]>
Date:   2017-04-16T08:11:05Z

    Merge branch 'master' into jersey2

commit 71c93b82199a4d2bd8f2b5d87171982e4bcc76e4
Author: Eric Charles <[hidden email]>
Date:   2017-04-16T08:22:28Z

    rename local cxfContext variable

commit 62140765d7eb09ee3c6ce8813a52cf0842a2197d
Author: Eric Charles <[hidden email]>
Date:   2017-04-18T15:50:50Z

    Merge branch 'master' into jersey2

commit 0099da58819d2e009abc01d4cee74aaa9a4d6234
Author: Eric Charles <[hidden email]>
Date:   2017-04-23T16:56:57Z

    Merge branch 'master' into jersey2

commit 624fc2510d8b02e220d5f448562d737dc0ab21a3
Author: Eric Charles <[hidden email]>
Date:   2017-05-03T10:22:53Z

    Merge branch 'master' into jersey2

commit 767f15a69e1b70d9561e1a1f59d385309e653a1e
Author: Eric Charles <[hidden email]>
Date:   2017-05-04T07:19:13Z

    Merge branch 'master' into jersey2

commit a037c54c03316b4bb1e5d2a072c470811a50d446
Author: Sohaib Iftikhar <[hidden email]>
Date:   2017-05-19T12:55:40Z

    Merge branch 'jersey2' of https://github.com/datalayer/zeppelin

commit 839680535eb74d2ff4948f8e0a685ec29117f54d
Author: Sohaib Iftikhar <[hidden email]>
Date:   2017-05-19T13:04:18Z

    Added role based authentication(not to be confused with authorization) for shiro

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
Github user 1ambda commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    \cc @khalidhuseynov


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user khalidhuseynov commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    @sohaibiftikhar thanks for adding option for authentication with role check, I was wondering if these changes are related to the issue in #932, from first look seems a bit unrelated and i would assume it should work from master as well, WDYT?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user sohaibiftikhar commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    @khalidhuseynov At front it seems that the issues are unrelated however for reasons I do not know #2182 is triggered when using the LdapRealm for me. #932 fixes that issue and hence for testing my build with this option I had included the changes for that.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user khalidhuseynov commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    thanks for clarification, then i may look into #932 as well, and after finalising that we can rebase this one


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user FRosner commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    Hi @khalidhuseynov!
   
    Thanks for looking into it. Is there a way to support you?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user khalidhuseynov commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    Hi @FRosner, I think best way would be to help review and test #932 first. i was going to do it as well, but didn't get much time recently. thanks for help, and i'll check it this week too.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user khalidhuseynov commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    @sohaibiftikhar i guess we can rebase it from master now


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user sohaibiftikhar commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    CI looks good now it was initially now working before as for some reason:
    `curl -sSL "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x51716619E084DAB9" | sudo -E apt-key add -`
    was returning with no gpg key found.
    Build is now fine at:
    https://travis-ci.org/sohaibiftikhar/zeppelin/builds/238652785


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user sohaibiftikhar commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    CI is green. Earlier errors seem to have been erratic and resolved themselves after estart: https://travis-ci.org/sohaibiftikhar/zeppelin/builds/238705120


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin issue #2354: Allow group/role based authentication using LdapRealm ...

zjffdu
In reply to this post by zjffdu
Github user Leemoonsoo commented on the issue:

    https://github.com/apache/zeppelin/pull/2354
 
    LGTM. Thanks @sohaibiftikhar for the contribution.
   
    Merge to master if no further discussions here.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|

[GitHub] zeppelin pull request #2354: Allow group/role based authentication using Lda...

zjffdu
In reply to this post by zjffdu
Github user asfgit closed the pull request at:

    https://github.com/apache/zeppelin/pull/2354


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---