You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by janusd <gi...@git.apache.org> on 2017/09/01 12:58:39 UTC

[GitHub] zeppelin pull request #2559: [ZEPPELIN-2894] Show users in notebook permissi...

GitHub user janusd opened a pull request:

    https://github.com/apache/zeppelin/pull/2559

    [ZEPPELIN-2894] Show users in notebook permission using Shiro JDBC

    ### What is this PR for?
    Show user list/suggestions in the notebook permission form when using Shiro and JDBC Realm.
    
    ### What type of PR is it?
    Bug Fix
    
    ### What is the Jira issue?
    [ZEPPELIN-2894](https://issues.apache.org/jira/browse/ZEPPELIN-2894)
    
    ### How should this be tested?
    - Shiro with JDBC Realm (e.g. PostgreSQL JDBC Driver)
    - Login to any account
    - Open Notebook permission form
    - Try to get any user suggestion in the dropdown menu by typing an existing name  
    
    ### Screenshots 
    **After:**
    ![userlist_working](https://user-images.githubusercontent.com/1479098/29970688-ccb2fb8c-8f25-11e7-903c-4a917830bc5c.gif)
    
    **Before:**
    ![userlist_error](https://user-images.githubusercontent.com/1479098/29970676-c13936f4-8f25-11e7-9494-6c0aeb1f383a.gif)
    
    ### Questions:
    * Does the licenses files need update? 
    No.
    * Is there breaking changes for older versions? 
    No.
    * Does this needs documentation?
    No.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/janusd/zeppelin master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/2559.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2559
    
----
commit ab84a5ca85f71fb5b6466b4ddd88859f3ee2ead3
Author: janusd <js...@gmail.com>
Date:   2017-09-01T12:51:48Z

    [ZEPPELIN-2894] Show user list in notebook permission using Shiro JDBC Realm

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2559: [ZEPPELIN-2894] Show users in notebook permission usin...

Posted by janusd <gi...@git.apache.org>.

Github user janusd commented on the issue:

    https://github.com/apache/zeppelin/pull/2559
  
    Thanks @1ambda for your reply. Please see the linked JIRA Issue: https://issues.apache.org/jira/browse/ZEPPELIN-2894 where I describe the problem with that pull request you mentioned.


---

[GitHub] zeppelin pull request #2559: [ZEPPELIN-2894] Show users in notebook permissi...

Posted by asfgit <gi...@git.apache.org>.

Github user asfgit closed the pull request at:

    https://github.com/apache/zeppelin/pull/2559


---

[GitHub] zeppelin issue #2559: [ZEPPELIN-2894] Show users in notebook permission usin...

Posted by 1ambda <gi...@git.apache.org>.

Github user 1ambda commented on the issue:

    https://github.com/apache/zeppelin/pull/2559
  
    Hi, @janusd 
    
    Could you check https://github.com/apache/zeppelin/pull/2487/files? which was merged to prevents SQL injection. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2559: [ZEPPELIN-2894] Show users in notebook permission usin...

Posted by 1ambda <gi...@git.apache.org>.

Github user 1ambda commented on the issue:

    https://github.com/apache/zeppelin/pull/2559
  
    Read the description and LGTM. 
    
    > ZEPPELIN-2769 introduced a mechanism to prevent SQL injection, but unfortunately table names can not be parameterised in PreparedStatements. Also the column variable "username" might be interpreted as a quoted string and the final list would contain x times "username" instead of the real names (see Figure).
    > Other solutions preventing SQL injections mostly rely on other libraries (e.g. escaping) or assumptions (e.g. widely database access). 
    I would consider to revert the changes. The SQL statement for getting the user list should not be a security threat as the query parameters will be parsed server-sided from the authenticationQuery, no user input will be provided at all.


---

[GitHub] zeppelin issue #2559: [ZEPPELIN-2894] Show users in notebook permission usin...

Posted by 1ambda <gi...@git.apache.org>.

Github user 1ambda commented on the issue:

    https://github.com/apache/zeppelin/pull/2559
  
    CI is green, merge if no more discussion.
    
    - https://travis-ci.org/janusd/zeppelin/builds/270815865


---