You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Tony (Jira)" <ji...@apache.org> on 2019/09/20 19:04:00 UTC

[jira] [Created] (ZEPPELIN-4341) When using multiple realms queryForAuthorizationInfo fails

Tony created ZEPPELIN-4341:
------------------------------

             Summary: When using multiple realms queryForAuthorizationInfo fails
                 Key: ZEPPELIN-4341
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4341
             Project: Zeppelin
          Issue Type: Bug
    Affects Versions: 0.8.1
            Reporter: Tony


I have 2 LDAP realms defined

securityManager.realms = $ldapRealmOne, $ldapRealmTwo

 

Users belong to one of these realms and using org.apache.shiro.authc.pam.FirstSuccessfulStrategy allows one to fail silently for authentication.

 

But when using rolesByGroup on these realms SecurityUtils#getRoles does not catch the exception that is thrown by the realm that the user does not belong to.

SecurityUtils#getRoles is only catching NamingException but an {{IllegalArgumentException}} is thrown.

 

{{}}{{Caused by: java.lang.IllegalArgumentException: Illegal principal name: joeuser}}
{{ at org.apache.zeppelin.realm.LdapRealm.getUserDn(LdapRealm.java:955)}}
{{ at org.apache.zeppelin.realm.LdapRealm.getUserDnForSearch(LdapRealm.java:456)}}
{{ at org.apache.zeppelin.realm.LdapRealm.rolesFor(LdapRealm.java:353)}}
{{ at org.apache.zeppelin.realm.LdapRealm.getRoles(LdapRealm.java:330)}}
{{ at org.apache.zeppelin.realm.LdapRealm.queryForAuthorizationInfo(LdapRealm.java:295)}}
{{ at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthorizationInfo(DefaultLdapRealm.java:313)}}
{{ at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)}}
{{ at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:573)}}

 

Thus, if a user is in the second realm defined in shirio.ini the code never tries to fetch their roles.

shiro's doMultiRealmAuthentication method catches everything and logs the error instead of short circuiting the realm loop.

Is this fixed in 9.x?  Am I doing something wrong?

Thanks!

 

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)