Hi,
I am new to using Shiro - so, I may be wrong in the analysis below.
If so, any feedback to sort errors in the assessment below would be MUCH
appreciated.
Alternatively - if the analysis below is roughly correct, then I am
proposing the changes specified in the "Proposal" section below be
considered.
*Background*
Currently, we are using Apache Shiro to Authenticate and Authorize users for
a Zeppelin installation.
Apache Shiro is configured to talk to Windows Active Directory (i.e. LDAP)
using
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm class to
configure an Active Directory Realm in the shiro.realms file.
For a User called "John.Smith" we can delete a notebook in Zeppelin.
However, if we try to delete the SAME notebook for a user called
"john.smith"
we receive the following alert/message:
"Insifficient priviledges to rename note. But the user john.smith belongs
to: [john.smith]".
It **appears** that the shiro (i.e. Shiro is used by Zeppelin for
authentication and authorization) handling of usernames is case-sensitive.
This is an issue for our user base.
When I looked at the username case-sensitivity handling in the LdapRealm
file,
org.apache.zeppelin.realm.LdapRealm,
there is a boolean field userLowerCase which is used by the rolesFor method
to set the username to lower case if the userLowerCase flag is true. i.e.
/protected Set<String> rolesFor(PrincipalCollection principals, String
userNameIn,
final LdapContext ldapCtx, final LdapContextFactory
ldapContextFactory, Session session)
throws NamingException {
final Set<String> roleNames = new HashSet<>();
final Set<String> groupNames = new HashSet<>();
final String userName;
if (getUserLowerCase()) {
log.debug("userLowerCase true");
userName = userNameIn.toLowerCase();
} else {
userName = userNameIn;
}
/
i.e. Username case sensitivity handling IS facilitated in
org.apache.zeppelin.realm.LdapRealm class,
BUT doesn't seem to be facilitated in the
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
class.
This **appears** to be inconsistent, and BOTH
org.apache.zeppelin.realm.LdapRealm and
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm are, in the end
- dealing with LDAP installations.
*Proposal:*
Add a field userCase to the
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm class.
The "userCase" field could support the following values:
- default. (i.e. No case changes will be made to the username)
- lowerCase (i.e. The username will be converted to lower case.)
- upperCase (i.e. The username will be converted to upper case.)
- properCase (i.e. The username will be converted to proper case.)
Suggestions on alternate ways to handle this issue would also be much
appreciated!
Thanks
CHEERS - Glen Chick
--
Sent from: http://shiro-developer.582600.n2.nabble.com/
