You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by pr...@apache.org on 2018/06/07 09:59:04 UTC
zeppelin git commit: [ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP
or password based) should be mutually exclusive
Repository: zeppelin
Updated Branches:
refs/heads/master d45d878a1 -> bbf5ef511
[ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive
Problem:
When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where the user can still get in using the local username/password.
Proposed Solution:
Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD.
[Bug Fix | Feature ]
* [x] - Add documentation
* [ZEPPELIN-3526](https://issues.apache.org/jira/browse/ZEPPELIN-3526)
If both [users] and [main] for example activeDirectoryRealm section enabled in shiro, Zeppelin server should not start.
Author: Prabhjyot Singh <pr...@gmail.com>
Author: Prabhjyot <pr...@gmail.com>
Closes #3003 from prabhjyotsingh/ZEPPELIN-3526 and squashes the following commits:
edc4323d0 [Prabhjyot] Merge branch 'master' into ZEPPELIN-3526
05c9e14ec [Prabhjyot Singh] add doc
529ab3e0e [Prabhjyot Singh] ZEPPELIN-3526: Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive
Change-Id: I0608cdc64ae7952eeec22bfe939810a6b24f357a
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/bbf5ef51
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/bbf5ef51
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/bbf5ef51
Branch: refs/heads/master
Commit: bbf5ef511601ee58f4acaf3040a5fbba76d37502
Parents: d45d878
Author: Prabhjyot Singh <pr...@gmail.com>
Authored: Thu Jun 7 15:20:24 2018 +0530
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Thu Jun 7 15:28:58 2018 +0530
----------------------------------------------------------------------
docs/setup/security/shiro_authentication.md | 4 ++++
.../apache/zeppelin/server/ZeppelinServer.java | 19 +++++++++++++++++++
2 files changed, 23 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/bbf5ef51/docs/setup/security/shiro_authentication.md
----------------------------------------------------------------------
diff --git a/docs/setup/security/shiro_authentication.md b/docs/setup/security/shiro_authentication.md
index 49b06c1..e1bf650 100644
--- a/docs/setup/security/shiro_authentication.md
+++ b/docs/setup/security/shiro_authentication.md
@@ -104,6 +104,9 @@ To learn more about Apache Shiro Realm, please check [this documentation](http:/
We also provide community custom Realms.
+**Note**: When using any of the below realms the default
+ password-based (IniRealm) authentication needs to be disabled.
+
### Active Directory
```
@@ -267,6 +270,7 @@ If you want to grant this permission to other users, you can change **roles[ ]**
### Apply multiple roles in Shiro configuration
By default, Shiro will allow access to a URL if only user is part of "**all the roles**" defined like this:
+
```
[urls]
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/bbf5ef51/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index a6b9813..b64636d 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -16,8 +16,12 @@
*/
package org.apache.zeppelin.server;
+import java.util.Collection;
import org.apache.commons.lang.StringUtils;
+import org.apache.shiro.realm.Realm;
+import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.web.env.EnvironmentLoaderListener;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.ShiroFilter;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.server.HttpConfiguration;
@@ -98,6 +102,21 @@ public class ZeppelinServer extends Application {
public ZeppelinServer() throws Exception {
ZeppelinConfiguration conf = ZeppelinConfiguration.create();
+ Collection<Realm> realms = ((DefaultWebSecurityManager) org.apache.shiro.SecurityUtils
+ .getSecurityManager()).getRealms();
+ if (realms.size() > 1) {
+ Boolean isIniRealmEnabled = false;
+ for (Object realm : realms) {
+ if (realm instanceof IniRealm && ((IniRealm) realm).getIni().get("users") != null) {
+ isIniRealmEnabled = true;
+ break;
+ }
+ }
+ if (isIniRealmEnabled) {
+ throw new Exception("IniRealm/password based auth mechanisms should be exclusive. "
+ + "Consider removing [users] block from shiro.ini");
+ }
+ }
InterpreterOutput.limit = conf.getInt(ConfVars.ZEPPELIN_INTERPRETER_OUTPUT_LIMIT);