[ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive#3003
Closed
prabhjyotsingh wants to merge 3 commits intoapache:masterfrom
Closed
[ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive#3003prabhjyotsingh wants to merge 3 commits intoapache:masterfrom
prabhjyotsingh wants to merge 3 commits intoapache:masterfrom
Conversation
…ld be mutually exclusive Change-Id: I9e0602c41462997c14a2dbb7378489ffab3ca0b4
Contributor
Author
|
@Leemoonsoo @felixcheung @zjffdu can you help review this. |
Contributor
|
LGTM, one suggestion is that I think it is time for us to do refactoring for the authentication component, we should put it in one component and provide interface to be used by other components. Instead of putting logic in zeppelin server like this PR. |
Contributor
Author
|
Agreed we should definitely do something like zeppelin-plugins for authentication components as well in Zeppelin-0.9 |
Contributor
|
@prabhjyotsingh I think it's good to document only one way for authentification. What do you think about it? |
prabhjyotsingh
commented
Jun 5, 2018
|
|
||
| ### Apply multiple roles in Shiro configuration | ||
| By default, Shiro will allow access to a URL if only user is part of "**all the roles**" defined like this: | ||
|
|
Contributor
Author
There was a problem hiding this comment.
prabhjyotsingh
force-pushed
the
ZEPPELIN-3526
branch
from
3cf0990 to
05c9e14
Compare
Contributor
Author
|
@mebelousov sure I've added a doc. |
Contributor
Author
|
Thanks for the review will merge this if no more discussion. |
asfgit
pushed a commit
that referenced
this pull request
Jun 7, 2018
…uld be mutually exclusive Problem: When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password. Proposed Solution: Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD. [Bug Fix | Feature ] * [x] - Add documentation * [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526) If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start. Author: Prabhjyot Singh <[email protected]> Author: Prabhjyot <[email protected]> Closes #3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits: edc4323 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526 05c9e14 [Prabhjyot Singh] add doc 529ab3e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a (cherry picked from commit bbf5ef5) Signed-off-by: Prabhjyot Singh <[email protected]> # Conflicts: # zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
prabhjyotsingh
added a commit
to prabhjyotsingh/zeppelin
that referenced
this pull request
Jul 4, 2018
…uld be mutually exclusive Problem: When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password. Proposed Solution: Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD. [Bug Fix | Feature ] * [x] - Add documentation * [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526) If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start. Author: Prabhjyot Singh <[email protected]> Author: Prabhjyot <[email protected]> Closes apache#3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits: edc4323 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526 05c9e14 [Prabhjyot Singh] add doc 529ab3e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a (cherry picked from commit bbf5ef5) Signed-off-by: Prabhjyot Singh <[email protected]>
mckartha
pushed a commit
to syntechdev/zeppelin
that referenced
this pull request
Aug 9, 2018
…uld be mutually exclusive Problem: When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password. Proposed Solution: Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD. [Bug Fix | Feature ] * [x] - Add documentation * [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526) If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start. Author: Prabhjyot Singh <[email protected]> Author: Prabhjyot <[email protected]> Closes apache#3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits: edc4323 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526 05c9e14 [Prabhjyot Singh] add doc 529ab3e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a
mckartha
pushed a commit
to syntechdev/zeppelin
that referenced
this pull request
Aug 9, 2018
…uld be mutually exclusive Problem: When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password. Proposed Solution: Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD. [Bug Fix | Feature ] * [x] - Add documentation * [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526) If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start. Author: Prabhjyot Singh <[email protected]> Author: Prabhjyot <[email protected]> Closes apache#3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits: edc4323 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526 05c9e14 [Prabhjyot Singh] add doc 529ab3e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a (cherry picked from commit bbf5ef5) Signed-off-by: Prabhjyot Singh <[email protected]> # Conflicts: # zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this PR for?
Problem:
When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password.
Proposed Solution:
Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD.
What type of PR is it?
[Bug Fix | Feature ]
Todos
What is the Jira issue?
How should this be tested?
If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start.