[GitHub] zeppelin pull request #2405: [minor] Roles are not getting honored from shir...

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] zeppelin pull request #2405: [minor] Roles are not getting honored from shir...

zjffdu
GitHub user prabhjyotsingh opened a pull request:

    https://github.com/apache/zeppelin/pull/2405

    [minor] Roles are not getting honored from shiro_ini for setting permissions in Zeppelin notebook

    ### What is this PR for?
    Roles are not getting honored from shiro_ini for setting permissions in Zeppelin notebook when securityManager.realm is set to $activeDirectoryRealm
   
    ### What type of PR is it?
    [Bug Fix]
   
    ### Todos
    * [ ] - Create JIRA
   
    ### What is the Jira issue?
    *
   
    ### How should this be tested?
    Use the below-attached shiro.ini, the thing which is different is `securityManager.realm = $activeDirectoryRealm`. When this is used, Zeppelin does not set the roles that were assigned to that particular user.  
   
    ```
    [main]
    activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
    activeDirectoryRealm.systemUsername = CN=Administrator,CN=Users,DC=COMPANY,DC=COM
    activeDirectoryRealm.systemPassword = Password1!
    activeDirectoryRealm.searchBase = CN=Users,DC=COMPANY,DC=COM
    activeDirectoryRealm.url = ldap://ad-nano.mydomain.com:389
    activeDirectoryRealm.groupRolesMap = "CN=zeppelin,OU=groups,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=COMPANY,DC=COM":"finance"
    activeDirectoryRealm.authorizationCachingEnabled = true
   
    securityManager.realm = $activeDirectoryRealm
   
    sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
    cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
    securityManager.cacheManager = $cacheManager
    securityManager.sessionManager = $sessionManager
    securityManager.sessionManager.globalSessionTimeout = 86400000
    shiro.loginUrl = /api/login
   
    [urls]
    /api/version = anon
    /** = authc
    ```
   
    So, before this PR if you `tail -f zeppelin-<username>-<machine-name>.local.log` in the log you will see this line
    ` WARN [2017-06-12 12:42:06,620] ({qtp226744878-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"zeppelin","ticket":"4b1e513f-7736-4474-b2d6-259ff3d39f91","roles":"[]"}}`
   
    And after applying this PR you will be able to see the role that got assigned to this user i.e.
    ` WARN [2017-06-12 12:42:06,620] ({qtp226744878-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"zeppelin","ticket":"4b1e513f-7736-4474-b2d6-259ff3d39f91","roles":"[admin]"}}`
   
    ### Screenshots (if appropriate)
    N/A
   
    ### Questions:
    * Does the licenses files need update? N/A
    * Is there breaking changes for older versions? N/A
    * Does this needs documentation? N/A


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/prabhjyotsingh/zeppelin bug/securityManagerActiveDirectory

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2405.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2405
   
----
commit 9439ac8a7100438ed05c52b9eac4e0c05079a9e8
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-12T07:09:02Z

    fix when securityManager.realm is set to $activeDirectoryRealm

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] zeppelin issue #2405: [minor] Roles are not getting honored from shiro_ini f...

zjffdu
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2405
 
    @felixcheung  yes, we do have a basic doc at http://zeppelin.apache.org/docs/0.7.1/security/shiroauthentication.html#active-directory.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] zeppelin pull request #2405: [ZEPPELIN-2640] Roles are not getting honored f...

zjffdu
In reply to this post by zjffdu
Github user prabhjyotsingh closed the pull request at:

    https://github.com/apache/zeppelin/pull/2405


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] zeppelin pull request #2405: [ZEPPELIN-2640] Roles are not getting honored f...

zjffdu
In reply to this post by zjffdu
GitHub user prabhjyotsingh reopened a pull request:

    https://github.com/apache/zeppelin/pull/2405

    [ZEPPELIN-2640] Roles are not getting honored from shiro_ini for setting permissions in Zeppelin notebook

    ### What is this PR for?
    Roles are not getting honored from shiro_ini for setting permissions in Zeppelin notebook when securityManager.realm is set to $activeDirectoryRealm
   
    ### What type of PR is it?
    [Bug Fix]
   
    ### Todos
    * [x] - Create JIRA
   
    ### What is the Jira issue?
    * [ZEPPELIN-2640](https://issues.apache.org/jira/browse/ZEPPELIN-2640)
   
    ### How should this be tested?
    Use the below-attached shiro.ini, the thing which is different is `securityManager.realm = $activeDirectoryRealm`. When this is used, Zeppelin does not set the roles that were assigned to that particular user.  
   
    ```
    [main]
    activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
    activeDirectoryRealm.systemUsername = CN=Administrator,CN=Users,DC=COMPANY,DC=COM
    activeDirectoryRealm.systemPassword = Password1!
    activeDirectoryRealm.searchBase = CN=Users,DC=COMPANY,DC=COM
    activeDirectoryRealm.url = ldap://ad-nano.mydomain.com:389
    activeDirectoryRealm.groupRolesMap = "CN=zeppelin,OU=groups,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=COMPANY,DC=COM":"finance"
    activeDirectoryRealm.authorizationCachingEnabled = true
   
    securityManager.realm = $activeDirectoryRealm
   
    sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
    cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
    securityManager.cacheManager = $cacheManager
    securityManager.sessionManager = $sessionManager
    securityManager.sessionManager.globalSessionTimeout = 86400000
    shiro.loginUrl = /api/login
   
    [urls]
    /api/version = anon
    /** = authc
    ```
   
    So, before this PR if you `tail -f zeppelin-<username>-<machine-name>.local.log` in the log you will see this line
    ` WARN [2017-06-12 12:42:06,620] ({qtp226744878-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"zeppelin","ticket":"4b1e513f-7736-4474-b2d6-259ff3d39f91","roles":"[]"}}`
   
    And after applying this PR you will be able to see the role that got assigned to this user i.e.
    ` WARN [2017-06-12 12:42:06,620] ({qtp226744878-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"zeppelin","ticket":"4b1e513f-7736-4474-b2d6-259ff3d39f91","roles":"[admin]"}}`
   
    ### Screenshots (if appropriate)
    N/A
   
    ### Questions:
    * Does the licenses files need update? N/A
    * Is there breaking changes for older versions? N/A
    * Does this needs documentation? N/A


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/prabhjyotsingh/zeppelin bug/securityManagerActiveDirectory

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2405.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2405
   
----
commit 9439ac8a7100438ed05c52b9eac4e0c05079a9e8
Author: Prabhjyot Singh <[hidden email]>
Date:   2017-06-12T07:09:02Z

    fix when securityManager.realm is set to $activeDirectoryRealm

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] zeppelin issue #2405: [ZEPPELIN-2640] Roles are not getting honored from shi...

zjffdu
In reply to this post by zjffdu
Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/2405
 
    Thank you @felixcheung, @khalidhuseynov for the review.
    Will merge this if no more discussion.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] zeppelin pull request #2405: [ZEPPELIN-2640] Roles are not getting honored f...

zjffdu
In reply to this post by zjffdu
Github user asfgit closed the pull request at:

    https://github.com/apache/zeppelin/pull/2405


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Loading...