Repository: zeppelin Updated Branches: refs/heads/branch-0.6 afc128320 -> f342bdd40
[ZEPPELIN-530] Added changes for Credential Provider, using hadoop commons Credential apis ### What is this PR for? This is the first step in order to ensure clear text passwords are not stored in the configuration files. To start with this PR will take care of getting AD system password from the .jceks file, configured by the user specified in the shiro.ini file. Going forward the same keystore can be used to read passwords for other systems as well. If the hadoopSecurityCredentialPath path is present and not empty in the shiro.ini, then the password is read from the keystore file and it need not be stored inside the shiro.ini file. ### What type of PR is it? [ Improvement] ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-530 ### How should this be tested? Create a keystore file using the hadoop credential commandline, for this the hadoop commons should be in the classpath `hadoop credential create activeDirectoryRealm.systempassword -provider jceks://file/user/zeppelin/conf/zeppelin.jceks` Change the following values in the Shiro.ini file, and uncomment the line: `activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks` ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No. This is an additional option. * Does this needs documentation? Yes ### Tasks * Documentation Author: Rohit Choudhary <[email protected]> Closes #1315 from rconline/ZEPPELIN-530 and squashes the following commits: 2156675 [Rohit Choudhary] use latest instead of 0.7.0-SNAPSHOT 40bb290 [Rohit Choudhary] remove extra line 24c6852 [Rohit Choudhary] add documentation cfecf74 [Rohit Choudhary] [ZEPPELIN-530] Added changes for Credential Provider, using hadoop commons and credential api's. (cherry picked from commit 5ac3faeba4877feefd79d72b15aa49d56afc0aa0) Signed-off-by: Prabhjyot Singh <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/f342bdd4 Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/f342bdd4 Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/f342bdd4 Branch: refs/heads/branch-0.6 Commit: f342bdd401dc98323d9ec0d7fcf7e5a59092b3a1 Parents: afc1283 Author: Rohit Choudhary <[email protected]> Authored: Tue Aug 23 14:14:33 2016 +0530 Committer: Prabhjyot Singh <[email protected]> Committed: Thu Aug 25 14:50:36 2016 +0530 ---------------------------------------------------------------------- conf/shiro.ini | 3 ++ docs/security/shiroauthentication.md | 30 ++++++++++- zeppelin-server/pom.xml | 56 ++++++++++++++++++++ .../server/ActiveDirectoryGroupRealm.java | 37 ++++++++++++- 4 files changed, 123 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f342bdd4/conf/shiro.ini ---------------------------------------------------------------------- diff --git a/conf/shiro.ini b/conf/shiro.ini index e774624..66190c0 100644 --- a/conf/shiro.ini +++ b/conf/shiro.ini @@ -28,7 +28,10 @@ user3 = password4, role2 ### A sample for configuring Active Directory Realm #activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm #activeDirectoryRealm.systemUsername = userNameA + +#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html #activeDirectoryRealm.systemPassword = passwordA +#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM #activeDirectoryRealm.url = ldap://ldap.test.com:389 #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f342bdd4/docs/security/shiroauthentication.md ---------------------------------------------------------------------- diff --git a/docs/security/shiroauthentication.md b/docs/security/shiroauthentication.md index f698a0a..a7ddadd 100644 --- a/docs/security/shiroauthentication.md +++ b/docs/security/shiroauthentication.md @@ -108,10 +108,36 @@ To learn more about Apache Shiro Realm, please check [this documentation](http:/ We also provide community custom Realms. ### Active Directory -TBD + +``` +activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm +activeDirectoryRealm.systemUsername = userNameA +activeDirectoryRealm.systemPassword = passwordA +activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks +activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM +activeDirectoryRealm.url = ldap://ldap.test.com:389 +activeDirectoryRealm.groupRolesMap = "CN=aGroupName,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"group1" +activeDirectoryRealm.authorizationCachingEnabled = false +``` + + +Also instead of specifying systemPassword in clear text in shiro.ini administrator can choose to specify the same in "hadoop credential". +Create a keystore file using the hadoop credential commandline, for this the hadoop commons should be in the classpath +`hadoop credential create activeDirectoryRealm.systempassword -provider jceks://file/user/zeppelin/conf/zeppelin.jceks` + +Change the following values in the Shiro.ini file, and uncomment the line: +`activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks` ### LDAP -TBD + +``` +ldapRealm = org.apache.zeppelin.server.LdapGroupRealm +# search base for ldap groups (only relevant for LdapGroupRealm): +ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM +ldapRealm.contextFactory.url = ldap://ldap.test.com:389 +ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM +ldapRealm.contextFactory.authenticationMechanism = SIMPLE +``` ### ZeppelinHub [ZeppelinHub](https://www.zeppelinhub.com) is a service that synchronize your Apache Zeppelin notebooks and enables you to collaborate easily. http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f342bdd4/zeppelin-server/pom.xml ---------------------------------------------------------------------- diff --git a/zeppelin-server/pom.xml b/zeppelin-server/pom.xml index e6406b0..81d9ed6 100644 --- a/zeppelin-server/pom.xml +++ b/zeppelin-server/pom.xml @@ -35,6 +35,7 @@ <properties> <cxf.version>2.7.7</cxf.version> <commons.httpclient.version>4.3.6</commons.httpclient.version> + <hadoop-common.version>2.6.0</hadoop-common.version> </properties> <dependencyManagement> @@ -206,6 +207,61 @@ </dependency> <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + <version>${hadoop-common.version}</version> + <exclusions> + <exclusion> + <groupId>com.sun.jersey</groupId> + <artifactId>jersey-core</artifactId> + </exclusion> + <exclusion> + <groupId>com.sun.jersey</groupId> + <artifactId>jersey-json</artifactId> + </exclusion> + <exclusion> + <groupId>com.sun.jersey</groupId> + <artifactId>jersey-server</artifactId> + </exclusion> + + + <exclusion> + <groupId>javax.servlet</groupId> + <artifactId>servlet-api</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.avro</groupId> + <artifactId>avro</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.jackrabbit</groupId> + <artifactId>jackrabbit-webdav</artifactId> + </exclusion> + <exclusion> + <groupId>io.netty</groupId> + <artifactId>netty</artifactId> + </exclusion> + <exclusion> + <groupId>commons-httpclient</groupId> + <artifactId>commons-httpclient</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.zookeeper</groupId> + <artifactId>zookeeper</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jgit</groupId> + <artifactId>org.eclipse.jgit</artifactId> + </exclusion> + <exclusion> + <groupId>com.jcraft</groupId> + <artifactId>jsch</artifactId> + </exclusion> + + </exclusions> + </dependency> + + <dependency> <groupId>org.quartz-scheduler</groupId> <artifactId>quartz</artifactId> <version>2.2.1</version> http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f342bdd4/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java index cc868d7..556f404 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java @@ -16,6 +16,10 @@ */ package org.apache.zeppelin.server; +import org.apache.commons.lang.StringUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.alias.CredentialProvider; +import org.apache.hadoop.security.alias.CredentialProviderFactory; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; @@ -55,6 +59,13 @@ public class ActiveDirectoryGroupRealm extends AbstractLdapRealm { private static final String ROLE_NAMES_DELIMETER = ","; + String KEYSTORE_PASS = "activeDirectoryRealm.systemPassword"; + private String hadoopSecurityCredentialPath; + + public void setHadoopSecurityCredentialPath(String hadoopSecurityCredentialPath) { + this.hadoopSecurityCredentialPath = hadoopSecurityCredentialPath; + } + /*-------------------------------------------- | I N S T A N C E V A R I A B L E S | ============================================*/ @@ -91,13 +102,36 @@ public class ActiveDirectoryGroupRealm extends AbstractLdapRealm { defaultFactory.setSearchBase(this.searchBase); defaultFactory.setUrl(this.url); defaultFactory.setSystemUsername(this.systemUsername); - defaultFactory.setSystemPassword(this.systemPassword); + defaultFactory.setSystemPassword(getSystemPassword()); this.ldapContextFactory = defaultFactory; } return this.ldapContextFactory; } + private String getSystemPassword() { + String password = ""; + if (StringUtils.isEmpty(this.hadoopSecurityCredentialPath)) { + password = this.systemPassword; + } else { + try { + Configuration configuration = new Configuration(); + configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, + this.hadoopSecurityCredentialPath); + CredentialProvider provider = + CredentialProviderFactory.getProviders(configuration).get(0); + CredentialProvider.CredentialEntry credEntry = provider.getCredentialEntry( + KEYSTORE_PASS); + if (credEntry != null) { + password = new String(credEntry.getCredential()); + } + } catch (Exception e) { + + } + } + return password; + } + /** * Builds an {@link AuthenticationInfo} object by querying the active directory LDAP context for * the specified username. This method binds to the LDAP server using the provided username @@ -293,3 +327,4 @@ public class ActiveDirectoryGroupRealm extends AbstractLdapRealm { } } +
