From commits-return-4536-archive-asf-public=cust-asf.ponee.io@zeppelin.apache.org Thu Jun 7 11:59:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 348B5180663 for ; Thu, 7 Jun 2018 11:59:05 +0200 (CEST) Received: (qmail 88732 invoked by uid 500); 7 Jun 2018 09:59:04 -0000 Mailing-List: contact commits-help@zeppelin.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zeppelin.apache.org Delivered-To: mailing list commits@zeppelin.apache.org Received: (qmail 88723 invoked by uid 99); 7 Jun 2018 09:59:04 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Jun 2018 09:59:04 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 1A11FE0BC9; Thu, 7 Jun 2018 09:59:04 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: prabhjyotsingh@apache.org To: commits@zeppelin.apache.org Message-Id: <69ac4b3950fe4c5db59f902b4cc3c40e@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: zeppelin git commit: [ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive Date: Thu, 7 Jun 2018 09:59:04 +0000 (UTC) Repository: zeppelin Updated Branches: refs/heads/master d45d878a1 -> bbf5ef511 [ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive Problem: When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password. Proposed Solution: Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD. [Bug Fix | Feature ] * [x] - Add documentation * [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526) If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start. Author: Prabhjyot Singh Author: Prabhjyot Closes #3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits: edc4323d0 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526 05c9e14ec [Prabhjyot Singh] add doc 529ab3e0e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/bbf5ef51 Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/bbf5ef51 Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/bbf5ef51 Branch: refs/heads/master Commit: bbf5ef511601ee58f4acaf3040a5fbba76d37502 Parents: d45d878 Author: Prabhjyot Singh Authored: Thu Jun 7 15:20:24 2018 +0530 Committer: Prabhjyot Singh Committed: Thu Jun 7 15:28:58 2018 +0530 ---------------------------------------------------------------------- docs/setup/security/shiro_authentication.md | 4 ++++ .../apache/zeppelin/server/ZeppelinServer.java | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/bbf5ef51/docs/setup/security/shiro_authentication.md ---------------------------------------------------------------------- diff --git a/docs/setup/security/shiro_authentication.md b/docs/setup/security/shiro_authentication.md index 49b06c1..e1bf650 100644 --- a/docs/setup/security/shiro_authentication.md +++ b/docs/setup/security/shiro_authentication.md @@ -104,6 +104,9 @@ To learn more about Apache Shiro Realm, please check [this documentation](http:/ We also provide community custom Realms. +**Note**: When using any of the below realms the default + password-based (IniRealm) authentication needs to be disabled. + ### Active Directory ``` @@ -267,6 +270,7 @@ If you want to grant this permission to other users, you can change **roles[ ]** ### Apply multiple roles in Shiro configuration By default, Shiro will allow access to a URL if only user is part of "**all the roles**" defined like this: + ``` [urls] http://git-wip-us.apache.org/repos/asf/zeppelin/blob/bbf5ef51/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java index a6b9813..b64636d 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java @@ -16,8 +16,12 @@ */ package org.apache.zeppelin.server; +import java.util.Collection; import org.apache.commons.lang.StringUtils; +import org.apache.shiro.realm.Realm; +import org.apache.shiro.realm.text.IniRealm; import org.apache.shiro.web.env.EnvironmentLoaderListener; +import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.apache.shiro.web.servlet.ShiroFilter; import org.eclipse.jetty.http.HttpVersion; import org.eclipse.jetty.server.HttpConfiguration; @@ -98,6 +102,21 @@ public class ZeppelinServer extends Application { public ZeppelinServer() throws Exception { ZeppelinConfiguration conf = ZeppelinConfiguration.create(); + Collection realms = ((DefaultWebSecurityManager) org.apache.shiro.SecurityUtils + .getSecurityManager()).getRealms(); + if (realms.size() > 1) { + Boolean isIniRealmEnabled = false; + for (Object realm : realms) { + if (realm instanceof IniRealm && ((IniRealm) realm).getIni().get("users") != null) { + isIniRealmEnabled = true; + break; + } + } + if (isIniRealmEnabled) { + throw new Exception("IniRealm/password based auth mechanisms should be exclusive. " + + "Consider removing [users] block from shiro.ini"); + } + } InterpreterOutput.limit = conf.getInt(ConfVars.ZEPPELIN_INTERPRETER_OUTPUT_LIMIT);