zeppelin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prabhjyotsi...@apache.org
Subject zeppelin git commit: [ZEPPELIN-2657] Add group search filter option to LdapRealm
Date Thu, 22 Jun 2017 05:12:41 GMT
Repository: zeppelin
Updated Branches:
  refs/heads/master 79e8e76c4 -> a5ca2e518


[ZEPPELIN-2657] Add group search filter option to LdapRealm

### What is this PR for?
Problem:
While performing LDAP authentication, current Shiro module does a group=* search while trying
to get group-to-role mapping for any LDAP user. On a large LDAP directory, this is a serious
problem which might render RolesByGroup feature not working as expected.

Fix:
Currently while doing LDAP authentication, there is no available option to limit the group
search results to the only groups that user is interested in. This bug addresses the same
and adds group search filter to Shiro configuration for LdapRealm which will allow user to
define a search filter and limit the group search results.

### What type of PR is it?
Improvement

### What is the Jira issue?
* [ZEPPELIN-2657] https://issues.apache.org/jira/browse/ZEPPELIN-2657

### How should this be tested?
1. Use org.apache.zeppelin.realm.LdapRealm as Shiro realm
2. In the shiro_ini configruation, define a group search filter like this:
ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(member={0}))
or
ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(cn=zeppelin-users*))
3. Also define other LdapRealm parameters as necessary like rolesByGroup etc.
4. When an LDAP user, who is part of the group that matches filter above, logs in, then the
roles are applied. If the LDAP user is not part these defined groups, then the roles are not
applied.

### Questions:
* Does the licenses files need update? N/A
* Is there breaking changes for older versions? N/A
* Does this needs documentation? N/A

Author: Vipin Rathor <v.rathor@gmail.com>

Closes #2414 from VipinRathor/ZEPPELIN-2657 and squashes the following commits:

ba0412c8b [Vipin Rathor] ZEPPELIN-2657 Add group search filter option to LdapRealm


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/a5ca2e51
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/a5ca2e51
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/a5ca2e51

Branch: refs/heads/master
Commit: a5ca2e5185012d336ae794ce51935c80f9540d68
Parents: 79e8e76
Author: Vipin Rathor <v.rathor@gmail.com>
Authored: Thu Jun 15 12:13:21 2017 -0700
Committer: Prabhjyot Singh <prabhjyotsingh@gmail.com>
Committed: Thu Jun 22 10:42:32 2017 +0530

----------------------------------------------------------------------
 .../org/apache/zeppelin/realm/LdapRealm.java    | 26 +++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/a5ca2e51/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
index 97c223c..dc10749 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
@@ -101,6 +101,8 @@ import javax.naming.ldap.PagedResultsControl;
  * # ability set searchScopes subtree (default), one, base
  * ldapRealm.userSearchScope = subtree;
  * ldapRealm.groupSearchScope = subtree;
+ * ldapRealm.userSearchFilter = (&(objectclass=person)(sAMAccountName={0}))
+ * ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(member={0}))
  * ldapRealm.memberAttributeValueTemplate=cn={0},ou=people,dc=hadoop,dc=apache,
  * dc=org
  * # enable support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator
@@ -160,6 +162,7 @@ public class LdapRealm extends JndiLdapRealm {
   private Pattern principalPattern = Pattern.compile(DEFAULT_PRINCIPAL_REGEX);
   private String userDnTemplate = "{0}";
   private String userSearchFilter = null;
+  private String groupSearchFilter = null;
   private String userSearchAttributeTemplate = "{0}";
   private String userSearchScope = "subtree";
   private String groupSearchScope = "subtree";
@@ -356,9 +359,22 @@ public class LdapRealm extends JndiLdapRealm {
               }
             }                
           } else {
+            // Default group search filter
+            String searchFilter = String.format("(objectclass=%1$s)", groupObjectClass);
+
+            // If group search filter is defined in Shiro config, then use it
+            if (groupSearchFilter != null) {
+              Matcher matchedPrincipal = matchPrincipal(userDn);
+              searchFilter = expandTemplate(groupSearchFilter, matchedPrincipal);
+              //searchFilter = String.format("%1$s", groupSearchFilter);
+            }
+            if (log.isDebugEnabled()) {
+              log.debug("Group SearchBase|SearchFilter|GroupSearchScope: " + getGroupSearchBase()
+                    + "|" + searchFilter + "|" + groupSearchScope);
+            }
             searchResultEnum = ldapCtx.search(
                 getGroupSearchBase(),
-                "objectClass=" + groupObjectClass,
+                searchFilter,
                 searchControls);
             while (searchResultEnum != null && searchResultEnum.hasMore()) { 
               // searchResults contains all the groups in search scope
@@ -737,6 +753,14 @@ public class LdapRealm extends JndiLdapRealm {
     this.userSearchFilter = (filter == null ? null : filter.trim());
   }
   
+  public String getGroupSearchFilter() {
+    return groupSearchFilter;
+  }
+
+  public void setGroupSearchFilter(final String filter) {
+    this.groupSearchFilter = (filter == null ? null : filter.trim());
+  }
+
   public boolean getUserLowerCase() {
     return userLowerCase;
   }


Mime
View raw message