zeppelin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prabhjyotsi...@apache.org
Subject zeppelin git commit: [ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive
Date Thu, 07 Jun 2018 10:03:08 GMT
Repository: zeppelin
Updated Branches:
  refs/heads/branch-0.8 47c7f4ffa -> c19b69d2b


[ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive

Problem:
When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based
authentication could still be configured in addition to that. This makes space for backdoor
in Zeppelin where the user can still get in using the local username/password.

Proposed Solution:
Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to
authenticate with LDAP/AD.

[Bug Fix | Feature ]

* [x] - Add documentation

* [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526)

If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin
server should not start.

Author: Prabhjyot Singh <prabhjyotsingh@gmail.com>
Author: Prabhjyot <prabhjyotsingh@gmail.com>

Closes #3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits:

edc4323d0 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526
05c9e14ec [Prabhjyot Singh] add doc
529ab3e0e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based)
should be mutually exclusive

Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a
(cherry picked from commit bbf5ef511601ee58f4acaf3040a5fbba76d37502)
Signed-off-by: Prabhjyot Singh <prabhjyotsingh@gmail.com>

# Conflicts:
#	zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/c19b69d2
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/c19b69d2
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/c19b69d2

Branch: refs/heads/branch-0.8
Commit: c19b69d2b51b626f943ecbc4004f0d40a84e3919
Parents: 47c7f4f
Author: Prabhjyot Singh <prabhjyotsingh@gmail.com>
Authored: Thu Jun 7 15:20:24 2018 +0530
Committer: Prabhjyot Singh <prabhjyotsingh@gmail.com>
Committed: Thu Jun 7 15:32:52 2018 +0530

----------------------------------------------------------------------
 docs/setup/security/shiro_authentication.md     |  4 ++++
 .../apache/zeppelin/server/ZeppelinServer.java  | 20 +++++++++++++++++++-
 .../AnyOfRolesUserAuthorizationFilter.java      |  2 +-
 3 files changed, 24 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/c19b69d2/docs/setup/security/shiro_authentication.md
----------------------------------------------------------------------
diff --git a/docs/setup/security/shiro_authentication.md b/docs/setup/security/shiro_authentication.md
index 49b06c1..e1bf650 100644
--- a/docs/setup/security/shiro_authentication.md
+++ b/docs/setup/security/shiro_authentication.md
@@ -104,6 +104,9 @@ To learn more about Apache Shiro Realm, please check [this documentation](http:/
 
 We also provide community custom Realms.
 
+**Note**: When using any of the below realms the default 
+      password-based (IniRealm) authentication needs to be disabled.
+
 ### Active Directory
 
 ```
@@ -267,6 +270,7 @@ If you want to grant this permission to other users, you can change **roles[
]**
 
 ### Apply multiple roles in Shiro configuration
 By default, Shiro will allow access to a URL if only user is part of "**all the roles**"
defined like this:
+
 ```
 [urls]
 

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/c19b69d2/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index 9f3f607..539e66e 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -19,6 +19,7 @@ package org.apache.zeppelin.server;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashSet;
 import java.util.Set;
@@ -27,7 +28,10 @@ import javax.servlet.DispatcherType;
 import javax.ws.rs.core.Application;
 
 import org.apache.commons.lang.StringUtils;
+import org.apache.shiro.realm.Realm;
+import org.apache.shiro.realm.text.IniRealm;
 import org.apache.shiro.web.env.EnvironmentLoaderListener;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
 import org.apache.shiro.web.servlet.ShiroFilter;
 import org.apache.zeppelin.conf.ZeppelinConfiguration;
 import org.apache.zeppelin.conf.ZeppelinConfiguration.ConfVars;
@@ -54,7 +58,6 @@ import org.apache.zeppelin.search.LuceneSearch;
 import org.apache.zeppelin.search.SearchService;
 import org.apache.zeppelin.socket.NotebookServer;
 import org.apache.zeppelin.storage.ConfigStorage;
-import org.apache.zeppelin.storage.FileSystemConfigStorage;
 import org.apache.zeppelin.user.Credentials;
 import org.apache.zeppelin.utils.SecurityUtils;
 import org.eclipse.jetty.http.HttpVersion;
@@ -92,6 +95,21 @@ public class ZeppelinServer extends Application {
 
   public ZeppelinServer() throws Exception {
     ZeppelinConfiguration conf = ZeppelinConfiguration.create();
+    Collection<Realm> realms = ((DefaultWebSecurityManager) org.apache.shiro.SecurityUtils
+        .getSecurityManager()).getRealms();
+    if (realms.size() > 1) {
+      Boolean isIniRealmEnabled = false;
+      for (Object realm : realms) {
+        if (realm instanceof IniRealm && ((IniRealm) realm).getIni().get("users")
!= null) {
+          isIniRealmEnabled = true;
+          break;
+        }
+      }
+      if (isIniRealmEnabled) {
+        throw new Exception("IniRealm/password based auth mechanisms should be exclusive.
"
+            + "Consider removing [users] block from shiro.ini");
+      }
+    }
 
 
 

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/c19b69d2/zeppelin-server/src/main/java/org/apache/zeppelin/utils/AnyOfRolesUserAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/utils/AnyOfRolesUserAuthorizationFilter.java
b/zeppelin-server/src/main/java/org/apache/zeppelin/utils/AnyOfRolesUserAuthorizationFilter.java
index 778d052..ed63d89 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/utils/AnyOfRolesUserAuthorizationFilter.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/utils/AnyOfRolesUserAuthorizationFilter.java
@@ -50,4 +50,4 @@ public class AnyOfRolesUserAuthorizationFilter extends RolesAuthorizationFilter
     }
     return false;
   }
-}
\ No newline at end of file
+}


Mime
View raw message