GitHub user herval opened a pull request:
https://github.com/apache/zeppelin/pull/2498
[ZEPPELIN-2796] Fetching LDAP roles
### What is this PR for?
This actually fetches the user's LDAP roles, when using the LdapRealm, so
they're accessible on Zeppelin (via the `SecurityUtils`).
As I debugged through it, I found some weird replacement code, so I wrote
some tests around the `LdapRealm` and fixed what I believe was wrong there.
Eg.: `expandTemplate` would expand, for instance, `uid={0}` into
`uid={0}yourusername`.
In order to make the actual LDAP calls for roles, I exposed the
`queryForAuthorizationInfo` method and used it on `SecurityUtils`.
### What type of PR is it?
Bug Fix / Improvement
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2796
### How should this be tested?
I tested this in our LDAP environment. My shiro.ini looked more or less
like this:
```
[main]
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://ldap.foo
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.userDnTemplate = uid={0},cn=users,dc=ods,dc=foo
ldapRealm.searchBase = dc=ods,dc=foo,dc=corp
ldapRealm.userSearchBase = cn=users,dc=ods,dc=foo
ldapRealm.groupSearchBase = cn=groups,dc=ods,dc=foo
ldapRealm.authorizationEnabled = true
ldapRealm.groupObjectClass = posixGroup
ldapRealm.memberAttribute = memberUid
ldapRealm.userObjectClass = posixAccount
ldapRealm.memberOfAttribute = memberOf
ldapReal.groupSearchFilter = '(memberUid={0})'
securityManager.realms = $ldapRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[urls]
/api/version = anon
/api/metrics = anon
/api/interpreter/repository/** = authc
/api/configurations/** = authc
/api/credential/** = authc
/api/notebook-repositories = authc
# /** = anon
/** = authc
```
you can tell the role fetching worked inspecting the web call to `/ticker`,
which will now return the full roles list
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update?
* Is there breaking changes for older versions?
* Does this needs documentation?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/herval/zeppelin ldap-roles
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/2498.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2498
----
commit ed1b0f850236de9fedc34fbeacc074212d6e6840
Author: Herval Freire <hfre...@twitter.com>
Date: 2017-07-19T18:23:43Z
expose roles from ldap + fix substitution code
commit 4d3ed58fb32cf66d984767e65ac71b69471e1920
Author: Herval Freire <hfre...@twitter.com>
Date: 2017-07-20T17:05:38Z
expose roles from ldap + fix substitution code
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
