You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by pr...@apache.org on 2018/06/07 09:59:04 UTC

zeppelin git commit: [ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive

Repository: zeppelin
Updated Branches:
  refs/heads/master d45d878a1 -> bbf5ef511


[ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive

Problem:
When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password.

Proposed Solution:
Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD.

[Bug Fix | Feature ]

* [x] - Add documentation

* [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526)

If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start.

Author: Prabhjyot Singh <pr...@gmail.com>
Author: Prabhjyot <pr...@gmail.com>

Closes #3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits:

edc4323d0 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526
05c9e14ec [Prabhjyot Singh] add doc
529ab3e0e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive

Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/bbf5ef51
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/bbf5ef51
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/bbf5ef51

Branch: refs/heads/master
Commit: bbf5ef511601ee58f4acaf3040a5fbba76d37502
Parents: d45d878
Author: Prabhjyot Singh <pr...@gmail.com>
Authored: Thu Jun 7 15:20:24 2018 +0530
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Thu Jun 7 15:28:58 2018 +0530

----------------------------------------------------------------------
 docs/setup/security/shiro_authentication.md      |  4 ++++
 .../apache/zeppelin/server/ZeppelinServer.java   | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/bbf5ef51/docs/setup/security/shiro_authentication.md
----------------------------------------------------------------------
diff --git a/docs/setup/security/shiro_authentication.md b/docs/setup/security/shiro_authentication.md
index 49b06c1..e1bf650 100644
--- a/docs/setup/security/shiro_authentication.md
+++ b/docs/setup/security/shiro_authentication.md
@@ -104,6 +104,9 @@ To learn more about Apache Shiro Realm, please check [this documentation](http:/
 
 We also provide community custom Realms.
 
+**Note**: When using any of the below realms the default 
+      password-based (IniRealm) authentication needs to be disabled.
+
 ### Active Directory
 
 ```
@@ -267,6 +270,7 @@ If you want to grant this permission to other users, you can change **roles[ ]**
 
 ### Apply multiple roles in Shiro configuration
 By default, Shiro will allow access to a URL if only user is part of "**all the roles**" defined like this:
+
 ```
 [urls]
 

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/bbf5ef51/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index a6b9813..b64636d 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -16,8 +16,12 @@
  */
 package org.apache.zeppelin.server;
 
+import java.util.Collection;
 import org.apache.commons.lang.StringUtils;
+import org.apache.shiro.realm.Realm;
+import org.apache.shiro.realm.text.IniRealm;
 import org.apache.shiro.web.env.EnvironmentLoaderListener;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
 import org.apache.shiro.web.servlet.ShiroFilter;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.HttpConfiguration;
@@ -98,6 +102,21 @@ public class ZeppelinServer extends Application {
 
   public ZeppelinServer() throws Exception {
     ZeppelinConfiguration conf = ZeppelinConfiguration.create();
+    Collection<Realm> realms = ((DefaultWebSecurityManager) org.apache.shiro.SecurityUtils
+        .getSecurityManager()).getRealms();
+    if (realms.size() > 1) {
+      Boolean isIniRealmEnabled = false;
+      for (Object realm : realms) {
+        if (realm instanceof IniRealm && ((IniRealm) realm).getIni().get("users") != null) {
+          isIniRealmEnabled = true;
+          break;
+        }
+      }
+      if (isIniRealmEnabled) {
+        throw new Exception("IniRealm/password based auth mechanisms should be exclusive. "
+            + "Consider removing [users] block from shiro.ini");
+      }
+    }
 
     InterpreterOutput.limit = conf.getInt(ConfVars.ZEPPELIN_INTERPRETER_OUTPUT_LIMIT);