Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2D74A200C7D for ; Tue, 16 May 2017 09:33:57 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2C292160BAC; Tue, 16 May 2017 07:33:57 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 71E97160B9D for ; Tue, 16 May 2017 09:33:56 +0200 (CEST) Received: (qmail 59598 invoked by uid 500); 16 May 2017 07:33:55 -0000 Mailing-List: contact commits-help@zeppelin.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zeppelin.apache.org Delivered-To: mailing list commits@zeppelin.apache.org Received: (qmail 59589 invoked by uid 99); 16 May 2017 07:33:55 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 May 2017 07:33:55 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 5F285DFF93; Tue, 16 May 2017 07:33:55 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: prabhjyotsingh@apache.org To: commits@zeppelin.apache.org Message-Id: <1ed564f10bd5461dacfc79d8adc20f41@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: zeppelin git commit: ZEPPELIN-2530: Zeppelin user impersonation with domain name suffix is failing Date: Tue, 16 May 2017 07:33:55 +0000 (UTC) archived-at: Tue, 16 May 2017 07:33:57 -0000 Repository: zeppelin Updated Branches: refs/heads/master 2afa9cbd5 -> 07a5b15d1 ZEPPELIN-2530: Zeppelin user impersonation with domain name suffix is failing ### What is this PR for? Basically what happens is, if a user login using full name with suffix then the user impersonation fails, as the HDFS expects username without the suffix. This is because the username is passed to underlying components with suffix and got rejected in security layer with IllegalArgumentException ### What type of PR is it? [Bug Fix] ### What is the Jira issue? * [ZEPPELIN-2530](https://issues.apache.org/jira/browse/ZEPPELIN-2530) ### How should this be tested? - Enable AD authentication - set `activeDirectoryRealm.principalSuffix` in shiro.ini - now try to login with the full user name (in my example its zepplintestdomain.com) ### Screenshots (if appropriate) Before: screen shot 2017-05-11 at 7 01 24 pm

After:

### Questions: * Does the licenses files need update? n/a * Is there breaking changes for older versions? n/a * Does this needs documentation? n/a Author: Prabhjyot Singh Closes #2337 from prabhjyotsingh/ZEPPELIN-2530 and squashes the following commits: f135eb4bb [Prabhjyot Singh] validate user string for null/empty before sending it to AD server 5a02759a1 [Prabhjyot Singh] ZEPPELIN-2530: Zeppelin user impersonation with domain name suffix is failing Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/07a5b15d Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/07a5b15d Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/07a5b15d Branch: refs/heads/master Commit: 07a5b15d1677e157a253a195c99f6a7926c2532a Parents: 2afa9cb Author: Prabhjyot Singh Authored: Fri May 12 09:10:33 2017 +0530 Committer: Prabhjyot Singh Committed: Tue May 16 13:03:43 2017 +0530 ---------------------------------------------------------------------- .../realm/ActiveDirectoryGroupRealm.java | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/07a5b15d/zeppelin-server/src/main/java/org/apache/zeppelin/realm/ActiveDirectoryGroupRealm.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/ActiveDirectoryGroupRealm.java b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/ActiveDirectoryGroupRealm.java index 8a9d66b..d40a643 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/ActiveDirectoryGroupRealm.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/ActiveDirectoryGroupRealm.java @@ -186,7 +186,7 @@ public class ActiveDirectoryGroupRealm extends AbstractLdapRealm { LdapContext ctx = null; try { String userPrincipalName = upToken.getUsername(); - if (userPrincipalName == null) { + if (!isValidPrincipalName(userPrincipalName)) { return null; } if (this.principalSuffix != null && userPrincipalName.indexOf('@') < 0) { @@ -201,7 +201,24 @@ public class ActiveDirectoryGroupRealm extends AbstractLdapRealm { return buildAuthenticationInfo(upToken.getUsername(), upToken.getPassword()); } + private Boolean isValidPrincipalName(String userPrincipalName) { + if (userPrincipalName != null) { + if (StringUtils.isNotEmpty(userPrincipalName) && userPrincipalName.contains("@")) { + String userPrincipalWithoutDomain = userPrincipalName.split("@")[0].trim(); + if (StringUtils.isNotEmpty(userPrincipalWithoutDomain)) { + return true; + } + } else if (StringUtils.isNotEmpty(userPrincipalName)) { + return true; + } + } + return false; + } + protected AuthenticationInfo buildAuthenticationInfo(String username, char[] password) { + if (this.principalSuffix != null && username.indexOf('@') > 1) { + username = username.split("@")[0]; + } return new SimpleAuthenticationInfo(username, password, getName()); }