You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by Weipu Zhao <zh...@gmail.com> on 2016/08/20 18:37:13 UTC
ActiveDirectoryGroupRealm.java allows user outside of searchBase to login
Hi guys,
When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my shiro
realm on v0.6.0, I have trouble understanding the searchBase config. My
understanding was shiro should only allow user within that searchBase to
login, but seems like not the case. When I trace the code
of ActiveDirectoryGroupRealm.java, the only place searchBase was used is in
method getRoleNamesForUser
<https://github.com/apache/zeppelin/blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java#L162>
,
if the user is not inside searchBase, a empty roleNames will be return and
without any exception, thus the user will be login I guess?
I'm not sure if this is expected behaviour or not. I also tried the v0.6.1
and seems also have same behaviour. In general I just want to restrict user
only in certain groups of ActiveDirectory to be able to login. Is that
possible without rewriting our own Realm?
Thanks,
Weipu
Re: ActiveDirectoryGroupRealm.java allows user outside of searchBase
to login
Posted by cs user <ac...@gmail.com>.
Hi All,
We are also hitting this issue with version 0.7.0.
We have tried changing the search base so that a filter is used, and only
certain users who are a member of a group are allowed to login, however
this doesn't have an effect.
We have also tried to use activeDirectoryRealm.groupRolesMap, so that we
force users to map to a zeppelin role, based on an AD group they are in.
However when logging in, the logs show the following:
"roles":"[]"
Has anyone gotten shiro to work with AD and locking down who can login via
AD groups? At the moment it seems that if you have an account in AD, you
can login to Zeppelin, and there is no way to stop this.
Thanks!
On Thu, Sep 8, 2016 at 1:41 AM, Polina Marasanova <
Polina.Marasanova@quantium.com.au> wrote:
> Hi everyone,
>
> I'm experiencing exactly same problem with Zeppelin 0.6.0
> It shiro plugin lets everyone in and it cannot be limited by searchbase.
> Here is an example of my config. In fact it lets everyone in from OU=Users.
>
> [main]
> ### A sample for configuring Active Directory Realm
> activeDirectoryRealm = org.apache.zeppelin.server.
> ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = userNameA
> activeDirectoryRealm.systemPassword = passwordA
> activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software
> Development,OU=Users,DC=companyname,DC=local"
> activeDirectoryRealm.principalSuffix = @companyname.local
> activeDirectoryRealm.url = ldap://ldap-server.local:389
> activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software
> Development,OU=Users,DC=companyname,DC=local":"admin"
> activeDirectoryRealm.authorizationCachingEnabled = false
> securityManager.realms = $activeDirectoryRealm
>
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
> Could you please take care of this issue. We are seriously blocked by it,
> but really want to start using 0.6.0
>
> Cheers
> Thanks
> Polina Marasanova
> ________________________________________
> From: Weipu Zhao [zhaoweipu.tju@gmail.com]
> Sent: Sunday, 21 August 2016 4:37 AM
> To: dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
> Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase
> to login
>
> Hi guys,
>
> When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my
> shiro realm on v0.6.0, I have trouble understanding the searchBase config.
> My understanding was shiro should only allow user within that searchBase to
> login, but seems like not the case. When I trace the code of
> ActiveDirectoryGroupRealm.java, the only place searchBase was used is in
> method getRoleNamesForUser<https://github.com/apache/zeppelin/
> blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/
> ActiveDirectoryGroupRealm.java#L162> , if the user is not inside
> searchBase, a empty roleNames will be return and without any exception,
> thus the user will be login I guess?
>
> I'm not sure if this is expected behaviour or not. I also tried the v0.6.1
> and seems also have same behaviour. In general I just want to restrict user
> only in certain groups of ActiveDirectory to be able to login. Is that
> possible without rewriting our own Realm?
>
> Thanks,
> Weipu
>
>
>
Re: ActiveDirectoryGroupRealm.java allows user outside of searchBase
to login
Posted by Jongyoul Lee <jo...@gmail.com>.
Hi,
Concerning the last error messages, it happens when you change auth setting
while users open websockets on their web browsers. If you encounter another
situation, it will help you share how to reproduce.
Regards,
Jongyoul
On Thu, Sep 8, 2016 at 11:07 AM, Polina Marasanova <
Polina.Marasanova@quantium.com.au> wrote:
> Related to this issue:
>
> One more thing. In Zeppelin logs there are many messages like this
>
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE << PING
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE PRINCIPAL <<
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE TICKET <<
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE ROLES <<
> 16/09/08 02:03:46 ERROR NotebookServer: Can't handle message
> java.lang.Exception: Invalid ticket != f2810e7a-de64-4e41-b615-
> f31cd5bf7d68
> at org.apache.zeppelin.socket.NotebookServer.onMessage(
> NotebookServer.java:117)
> at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(
> NotebookSocket.java:56)
> at org.eclipse.jetty.websocket.common.events.
> JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
> at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.
> messageComplete(SimpleTextMessage.java:69)
> at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.
> appendMessage(AbstractEventDriver.java:65)
> at org.eclipse.jetty.websocket.common.events.
> JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
> at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.
> incomingFrame(AbstractEventDriver.java:161)
> at org.eclipse.jetty.websocket.common.WebSocketSession.
> incomingFrame(WebSocketSession.java:309)
> at org.eclipse.jetty.websocket.common.extensions.
> ExtensionStack.incomingFrame(ExtensionStack.java:214)
> at org.eclipse.jetty.websocket.common.Parser.notifyFrame(
> Parser.java:220)
> at org.eclipse.jetty.websocket.common.Parser.parse(Parser.
> java:258)
> at org.eclipse.jetty.websocket.common.io.
> AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.
> java:632)
> at org.eclipse.jetty.websocket.common.io.
> AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.
> java:480)
> at org.eclipse.jetty.io.AbstractConnection$2.run(
> AbstractConnection.java:544)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
> QueuedThreadPool.java:635)
>
> Looks like it's related to auth process.
> ________________________________________
> From: Polina Marasanova [Polina.Marasanova@quantium.com.au]
> Sent: Thursday, 8 September 2016 10:41 AM
> To: users@zeppelin.apache.org; dev@zeppelin.incubator.apache.org;
> users@zeppelin.incubator.apache.org
> Subject: RE: ActiveDirectoryGroupRealm.java allows user outside of
> searchBase to login
>
> Hi everyone,
>
> I'm experiencing exactly same problem with Zeppelin 0.6.0
> It shiro plugin lets everyone in and it cannot be limited by searchbase.
> Here is an example of my config. In fact it lets everyone in from OU=Users.
>
> [main]
> ### A sample for configuring Active Directory Realm
> activeDirectoryRealm = org.apache.zeppelin.server.
> ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = userNameA
> activeDirectoryRealm.systemPassword = passwordA
> activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software
> Development,OU=Users,DC=companyname,DC=local"
> activeDirectoryRealm.principalSuffix = @companyname.local
> activeDirectoryRealm.url = ldap://ldap-server.local:389
> activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software
> Development,OU=Users,DC=companyname,DC=local":"admin"
> activeDirectoryRealm.authorizationCachingEnabled = false
> securityManager.realms = $activeDirectoryRealm
>
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
> Could you please take care of this issue. We are seriously blocked by it,
> but really want to start using 0.6.0
>
> Cheers
> Thanks
> Polina Marasanova
> ________________________________________
> From: Weipu Zhao [zhaoweipu.tju@gmail.com]
> Sent: Sunday, 21 August 2016 4:37 AM
> To: dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
> Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase
> to login
>
> Hi guys,
>
> When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my
> shiro realm on v0.6.0, I have trouble understanding the searchBase config.
> My understanding was shiro should only allow user within that searchBase to
> login, but seems like not the case. When I trace the code of
> ActiveDirectoryGroupRealm.java, the only place searchBase was used is in
> method getRoleNamesForUser<https://github.com/apache/zeppelin/
> blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/
> ActiveDirectoryGroupRealm.java#L162> , if the user is not inside
> searchBase, a empty roleNames will be return and without any exception,
> thus the user will be login I guess?
>
> I'm not sure if this is expected behaviour or not. I also tried the v0.6.1
> and seems also have same behaviour. In general I just want to restrict user
> only in certain groups of ActiveDirectory to be able to login. Is that
> possible without rewriting our own Realm?
>
> Thanks,
> Weipu
>
>
>
--
이종열, Jongyoul Lee, 李宗烈
http://madeng.net
Re: ActiveDirectoryGroupRealm.java allows user outside of searchBase
to login
Posted by Jongyoul Lee <jo...@gmail.com>.
Hi,
Concerning the last error messages, it happens when you change auth setting
while users open websockets on their web browsers. If you encounter another
situation, it will help you share how to reproduce.
Regards,
Jongyoul
On Thu, Sep 8, 2016 at 11:07 AM, Polina Marasanova <
Polina.Marasanova@quantium.com.au> wrote:
> Related to this issue:
>
> One more thing. In Zeppelin logs there are many messages like this
>
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE << PING
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE PRINCIPAL <<
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE TICKET <<
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE ROLES <<
> 16/09/08 02:03:46 ERROR NotebookServer: Can't handle message
> java.lang.Exception: Invalid ticket != f2810e7a-de64-4e41-b615-
> f31cd5bf7d68
> at org.apache.zeppelin.socket.NotebookServer.onMessage(
> NotebookServer.java:117)
> at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(
> NotebookSocket.java:56)
> at org.eclipse.jetty.websocket.common.events.
> JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
> at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.
> messageComplete(SimpleTextMessage.java:69)
> at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.
> appendMessage(AbstractEventDriver.java:65)
> at org.eclipse.jetty.websocket.common.events.
> JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
> at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.
> incomingFrame(AbstractEventDriver.java:161)
> at org.eclipse.jetty.websocket.common.WebSocketSession.
> incomingFrame(WebSocketSession.java:309)
> at org.eclipse.jetty.websocket.common.extensions.
> ExtensionStack.incomingFrame(ExtensionStack.java:214)
> at org.eclipse.jetty.websocket.common.Parser.notifyFrame(
> Parser.java:220)
> at org.eclipse.jetty.websocket.common.Parser.parse(Parser.
> java:258)
> at org.eclipse.jetty.websocket.common.io.
> AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.
> java:632)
> at org.eclipse.jetty.websocket.common.io.
> AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.
> java:480)
> at org.eclipse.jetty.io.AbstractConnection$2.run(
> AbstractConnection.java:544)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
> QueuedThreadPool.java:635)
>
> Looks like it's related to auth process.
> ________________________________________
> From: Polina Marasanova [Polina.Marasanova@quantium.com.au]
> Sent: Thursday, 8 September 2016 10:41 AM
> To: users@zeppelin.apache.org; dev@zeppelin.incubator.apache.org;
> users@zeppelin.incubator.apache.org
> Subject: RE: ActiveDirectoryGroupRealm.java allows user outside of
> searchBase to login
>
> Hi everyone,
>
> I'm experiencing exactly same problem with Zeppelin 0.6.0
> It shiro plugin lets everyone in and it cannot be limited by searchbase.
> Here is an example of my config. In fact it lets everyone in from OU=Users.
>
> [main]
> ### A sample for configuring Active Directory Realm
> activeDirectoryRealm = org.apache.zeppelin.server.
> ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = userNameA
> activeDirectoryRealm.systemPassword = passwordA
> activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software
> Development,OU=Users,DC=companyname,DC=local"
> activeDirectoryRealm.principalSuffix = @companyname.local
> activeDirectoryRealm.url = ldap://ldap-server.local:389
> activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software
> Development,OU=Users,DC=companyname,DC=local":"admin"
> activeDirectoryRealm.authorizationCachingEnabled = false
> securityManager.realms = $activeDirectoryRealm
>
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
> Could you please take care of this issue. We are seriously blocked by it,
> but really want to start using 0.6.0
>
> Cheers
> Thanks
> Polina Marasanova
> ________________________________________
> From: Weipu Zhao [zhaoweipu.tju@gmail.com]
> Sent: Sunday, 21 August 2016 4:37 AM
> To: dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
> Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase
> to login
>
> Hi guys,
>
> When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my
> shiro realm on v0.6.0, I have trouble understanding the searchBase config.
> My understanding was shiro should only allow user within that searchBase to
> login, but seems like not the case. When I trace the code of
> ActiveDirectoryGroupRealm.java, the only place searchBase was used is in
> method getRoleNamesForUser<https://github.com/apache/zeppelin/
> blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/
> ActiveDirectoryGroupRealm.java#L162> , if the user is not inside
> searchBase, a empty roleNames will be return and without any exception,
> thus the user will be login I guess?
>
> I'm not sure if this is expected behaviour or not. I also tried the v0.6.1
> and seems also have same behaviour. In general I just want to restrict user
> only in certain groups of ActiveDirectory to be able to login. Is that
> possible without rewriting our own Realm?
>
> Thanks,
> Weipu
>
>
>
--
이종열, Jongyoul Lee, 李宗烈
http://madeng.net
RE: ActiveDirectoryGroupRealm.java allows user outside of
searchBase to login
Posted by Polina Marasanova <Po...@quantium.com.au>.
Related to this issue:
One more thing. In Zeppelin logs there are many messages like this
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE << PING
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE PRINCIPAL <<
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE TICKET <<
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE ROLES <<
16/09/08 02:03:46 ERROR NotebookServer: Can't handle message
java.lang.Exception: Invalid ticket != f2810e7a-de64-4e41-b615-f31cd5bf7d68
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:117)
at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.messageComplete(SimpleTextMessage.java:69)
at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.appendMessage(AbstractEventDriver.java:65)
at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.incomingFrame(AbstractEventDriver.java:161)
at org.eclipse.jetty.websocket.common.WebSocketSession.incomingFrame(WebSocketSession.java:309)
at org.eclipse.jetty.websocket.common.extensions.ExtensionStack.incomingFrame(ExtensionStack.java:214)
at org.eclipse.jetty.websocket.common.Parser.notifyFrame(Parser.java:220)
at org.eclipse.jetty.websocket.common.Parser.parse(Parser.java:258)
at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.java:632)
at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.java:480)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
Looks like it's related to auth process.
________________________________________
From: Polina Marasanova [Polina.Marasanova@quantium.com.au]
Sent: Thursday, 8 September 2016 10:41 AM
To: users@zeppelin.apache.org; dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
Subject: RE: ActiveDirectoryGroupRealm.java allows user outside of searchBase to login
Hi everyone,
I'm experiencing exactly same problem with Zeppelin 0.6.0
It shiro plugin lets everyone in and it cannot be limited by searchbase.
Here is an example of my config. In fact it lets everyone in from OU=Users.
[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = userNameA
activeDirectoryRealm.systemPassword = passwordA
activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local"
activeDirectoryRealm.principalSuffix = @companyname.local
activeDirectoryRealm.url = ldap://ldap-server.local:389
activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
securityManager.realms = $activeDirectoryRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
Could you please take care of this issue. We are seriously blocked by it, but really want to start using 0.6.0
Cheers
Thanks
Polina Marasanova
________________________________________
From: Weipu Zhao [zhaoweipu.tju@gmail.com]
Sent: Sunday, 21 August 2016 4:37 AM
To: dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase to login
Hi guys,
When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my shiro realm on v0.6.0, I have trouble understanding the searchBase config. My understanding was shiro should only allow user within that searchBase to login, but seems like not the case. When I trace the code of ActiveDirectoryGroupRealm.java, the only place searchBase was used is in method getRoleNamesForUser<https://github.com/apache/zeppelin/blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java#L162> , if the user is not inside searchBase, a empty roleNames will be return and without any exception, thus the user will be login I guess?
I'm not sure if this is expected behaviour or not. I also tried the v0.6.1 and seems also have same behaviour. In general I just want to restrict user only in certain groups of ActiveDirectory to be able to login. Is that possible without rewriting our own Realm?
Thanks,
Weipu
RE: ActiveDirectoryGroupRealm.java allows user outside of
searchBase to login
Posted by Polina Marasanova <Po...@quantium.com.au>.
Related to this issue:
One more thing. In Zeppelin logs there are many messages like this
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE << PING
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE PRINCIPAL <<
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE TICKET <<
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE ROLES <<
16/09/08 02:03:46 ERROR NotebookServer: Can't handle message
java.lang.Exception: Invalid ticket != f2810e7a-de64-4e41-b615-f31cd5bf7d68
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:117)
at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.messageComplete(SimpleTextMessage.java:69)
at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.appendMessage(AbstractEventDriver.java:65)
at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.incomingFrame(AbstractEventDriver.java:161)
at org.eclipse.jetty.websocket.common.WebSocketSession.incomingFrame(WebSocketSession.java:309)
at org.eclipse.jetty.websocket.common.extensions.ExtensionStack.incomingFrame(ExtensionStack.java:214)
at org.eclipse.jetty.websocket.common.Parser.notifyFrame(Parser.java:220)
at org.eclipse.jetty.websocket.common.Parser.parse(Parser.java:258)
at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.java:632)
at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.java:480)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
Looks like it's related to auth process.
________________________________________
From: Polina Marasanova [Polina.Marasanova@quantium.com.au]
Sent: Thursday, 8 September 2016 10:41 AM
To: users@zeppelin.apache.org; dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
Subject: RE: ActiveDirectoryGroupRealm.java allows user outside of searchBase to login
Hi everyone,
I'm experiencing exactly same problem with Zeppelin 0.6.0
It shiro plugin lets everyone in and it cannot be limited by searchbase.
Here is an example of my config. In fact it lets everyone in from OU=Users.
[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = userNameA
activeDirectoryRealm.systemPassword = passwordA
activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local"
activeDirectoryRealm.principalSuffix = @companyname.local
activeDirectoryRealm.url = ldap://ldap-server.local:389
activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
securityManager.realms = $activeDirectoryRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
Could you please take care of this issue. We are seriously blocked by it, but really want to start using 0.6.0
Cheers
Thanks
Polina Marasanova
________________________________________
From: Weipu Zhao [zhaoweipu.tju@gmail.com]
Sent: Sunday, 21 August 2016 4:37 AM
To: dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase to login
Hi guys,
When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my shiro realm on v0.6.0, I have trouble understanding the searchBase config. My understanding was shiro should only allow user within that searchBase to login, but seems like not the case. When I trace the code of ActiveDirectoryGroupRealm.java, the only place searchBase was used is in method getRoleNamesForUser<https://github.com/apache/zeppelin/blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java#L162> , if the user is not inside searchBase, a empty roleNames will be return and without any exception, thus the user will be login I guess?
I'm not sure if this is expected behaviour or not. I also tried the v0.6.1 and seems also have same behaviour. In general I just want to restrict user only in certain groups of ActiveDirectory to be able to login. Is that possible without rewriting our own Realm?
Thanks,
Weipu
RE: ActiveDirectoryGroupRealm.java allows user outside of
searchBase to login
Posted by Polina Marasanova <Po...@quantium.com.au>.
Hi everyone,
I'm experiencing exactly same problem with Zeppelin 0.6.0
It shiro plugin lets everyone in and it cannot be limited by searchbase.
Here is an example of my config. In fact it lets everyone in from OU=Users.
[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = userNameA
activeDirectoryRealm.systemPassword = passwordA
activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local"
activeDirectoryRealm.principalSuffix = @companyname.local
activeDirectoryRealm.url = ldap://ldap-server.local:389
activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
securityManager.realms = $activeDirectoryRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
Could you please take care of this issue. We are seriously blocked by it, but really want to start using 0.6.0
Cheers
Thanks
Polina Marasanova
________________________________________
From: Weipu Zhao [zhaoweipu.tju@gmail.com]
Sent: Sunday, 21 August 2016 4:37 AM
To: dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase to login
Hi guys,
When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my shiro realm on v0.6.0, I have trouble understanding the searchBase config. My understanding was shiro should only allow user within that searchBase to login, but seems like not the case. When I trace the code of ActiveDirectoryGroupRealm.java, the only place searchBase was used is in method getRoleNamesForUser<https://github.com/apache/zeppelin/blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java#L162> , if the user is not inside searchBase, a empty roleNames will be return and without any exception, thus the user will be login I guess?
I'm not sure if this is expected behaviour or not. I also tried the v0.6.1 and seems also have same behaviour. In general I just want to restrict user only in certain groups of ActiveDirectory to be able to login. Is that possible without rewriting our own Realm?
Thanks,
Weipu
RE: ActiveDirectoryGroupRealm.java allows user outside of
searchBase to login
Posted by Polina Marasanova <Po...@quantium.com.au>.
Hi everyone,
I'm experiencing exactly same problem with Zeppelin 0.6.0
It shiro plugin lets everyone in and it cannot be limited by searchbase.
Here is an example of my config. In fact it lets everyone in from OU=Users.
[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = userNameA
activeDirectoryRealm.systemPassword = passwordA
activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local"
activeDirectoryRealm.principalSuffix = @companyname.local
activeDirectoryRealm.url = ldap://ldap-server.local:389
activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
securityManager.realms = $activeDirectoryRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
Could you please take care of this issue. We are seriously blocked by it, but really want to start using 0.6.0
Cheers
Thanks
Polina Marasanova
________________________________________
From: Weipu Zhao [zhaoweipu.tju@gmail.com]
Sent: Sunday, 21 August 2016 4:37 AM
To: dev@zeppelin.incubator.apache.org; users@zeppelin.incubator.apache.org
Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase to login
Hi guys,
When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my shiro realm on v0.6.0, I have trouble understanding the searchBase config. My understanding was shiro should only allow user within that searchBase to login, but seems like not the case. When I trace the code of ActiveDirectoryGroupRealm.java, the only place searchBase was used is in method getRoleNamesForUser<https://github.com/apache/zeppelin/blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java#L162> , if the user is not inside searchBase, a empty roleNames will be return and without any exception, thus the user will be login I guess?
I'm not sure if this is expected behaviour or not. I also tried the v0.6.1 and seems also have same behaviour. In general I just want to restrict user only in certain groups of ActiveDirectory to be able to login. Is that possible without rewriting our own Realm?
Thanks,
Weipu