[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[ajaygk95]

Github user ajaygk95 commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
> 
> 
> @SarunasG @1ambda @khalidhuseynov @andreaTP Hello, is there any doc of 
details for me to add libs in 0.7.3 and by changing the shiro.ini config file 
to support open id?

Hello @xixikaikai ,
I am using zeppelin 0.8.0 and with the below changes i am able to integrate 
it with keycloak.

Dependencies to be added in zeppelin-0.8.0 lib folder:
buji-pac4j-3.0.0.jar
lang-tag-1.4.3.jar
json-smart-1.3.1.jar
commons-lang3-3.5.jar
commons-collections4-4.1.jar
pac4j-core-2.3.1.jar
oauth2-oidc-sdk-5.24.2.jar
mail-1.4.7.jar
shiro-crypto-hash-1.4.0.jar
shiro-crypto-core-1.4.0.jar
shiro-crypto-cipher-1.4.0.jar
shiro-core-1.4.0.jar
shiro-config-ogdl-1.4.0.jar
shiro-config-core-1.4.0.jar
shiro-cache-1.4.0.jar
pac4j-oidc-2.3.1.jar
slf4j-api-1.7.25.jar
shiro-web-1.4.0.jar
shiro-lang-1.4.0.jar
shiro-event-1.4.0.jar


I have added the shiro.ini conf and dependency in the attachment.
[dep.txt](https://github.com/apache/zeppelin/files/2391716/dep.txt)
 



---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[ajaygk95]

Github user ajaygk95 commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hello,
Has anyone tried with zeppelin with keycloak ?


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@SarunasG  @1ambda  @khalidhuseynov  @andreaTP Hello, is there any doc of 
details for me to add libs in 0.7.3 and by changing the shiro.ini config file 
to support open id?


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  

![image](https://user-images.githubusercontent.com/10403433/41584171-293fca40-73d9-11e8-8cfe-9ed2498f7078.png)



---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
`Zeppelin is restarting
ZEPPELIN_CLASSPATH: 
::/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/lib/interpreter/*:/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/lib/*:/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/*::/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/conf
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option 
MaxPermSize=512m; support was removed in 8.0
Exception in thread "main" java.lang.NoClassDefFoundError: 
org/apache/commons/beanutils/BeanIntrospector
at 
org.apache.shiro.config.IniSecurityManagerFactory.(IniSecurityManagerFactory.java:64)
at 
org.apache.shiro.config.IniSecurityManagerFactory.(IniSecurityManagerFactory.java:68)
at 
org.apache.shiro.config.IniSecurityManagerFactory.(IniSecurityManagerFactory.java:73)
at 
org.apache.zeppelin.utils.SecurityUtils.initSecurityManager(SecurityUtils.java:55)
at 
org.apache.zeppelin.server.ZeppelinServer.setupRestApiContextHandler(ZeppelinServer.java:324)
at 
org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:179)
Caused by: java.lang.ClassNotFoundException: 
org.apache.commons.beanutils.BeanIntrospector
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 6 more
`


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Again I've added more jars to zeppelin-0.7.3, but the error occur once more


![image](https://user-images.githubusercontent.com/10403433/41584090-f3321d0e-73d8-11e8-87b1-1a2e0e4b7d33.png)



---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  

![image](https://user-images.githubusercontent.com/10403433/41582143-59948d4e-73d3-11e8-9a92-b853704b1575.png)



---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
hello  I've put the following libs into my 0.7.3's zeppelin lib folder,
But the errors occur, can I ask you for a help?


![image](https://user-images.githubusercontent.com/10403433/41582089-326284d8-73d3-11e8-92fc-6865af8c89b4.png)
@andreaTP 


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
`$ cat  logs/zeppelin-zhengkai-zhengkais-MacBook-Pro.local.out 
ZEPPELIN_CLASSPATH: 
::/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/lib/interpreter/*:/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/lib/*:/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/*::/Users/zhengkai/Downloads/zeppelin-0.7.3-bin-all/conf
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option 
MaxPermSize=512m; support was removed in 8.0
Exception in thread "main" java.lang.NoClassDefFoundError: 
org/apache/commons/beanutils/BeanIntrospector
at 
org.apache.shiro.config.IniSecurityManagerFactory.(IniSecurityManagerFactory.java:64)
at 
org.apache.shiro.config.IniSecurityManagerFactory.(IniSecurityManagerFactory.java:68)
at 
org.apache.shiro.config.IniSecurityManagerFactory.(IniSecurityManagerFactory.java:73)
at 
org.apache.zeppelin.utils.SecurityUtils.initSecurityManager(SecurityUtils.java:55)
at 
org.apache.zeppelin.server.ZeppelinServer.setupRestApiContextHandler(ZeppelinServer.java:324)
at 
org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:179)
Caused by: java.lang.ClassNotFoundException: 
org.apache.commons.beanutils.BeanIntrospector
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 6 more
`


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@xixikaikai sure, we are using keycloak in production


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
BTW  can I use local keycloak for oidc connect to zeppelin?
I now set up a local env of keycloak @andreaTP 


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@andreaTP  thanks, I am now trying keycloak with the oidc 


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
actually a more detailed description is available here: 
https://github.com/apache/zeppelin/pull/2552/files


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
I think the link is broken.
here: https://github.com/apache/zeppelin/pull/2373/files


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[felixcheung]

Github user felixcheung commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@xixikaikai 
https://github.com/apache/zeppelin/pull/2373#issuecomment-323267967


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Is there any document or example to tell us how to use SSO function in 
zeppelin?


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[xixikaikai]

Github user xixikaikai commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@1ambda Do you have a sample code to test this function?


---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[felixcheung]

Github user felixcheung commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hi! Please redirect your questions to dev@zeppelin.apache.org or open a 
JIRA if there is a bug?



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hi @SarunasG , actually I'm facing the very same situation here ...
I haven't had enough time to dig deeper, but it looks like that 'logout` 
action is not triggering the REST call to do a logout from the Oidc authority.
Eventually we will try to find a solution but please keep me copied if you 
can go further in your investigation too.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[SarunasG]

Github user SarunasG commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hi All,

Have one more question related to OIDC enablement on Zeppelin. I am now 
able successfully authenticate my user and log into Zeppelin app by Shiro, OIDC 
and Keycloak, but unfortunately I am not able to log out. It loops when I click 
on Logout button keeping my user being logged in with the initial token id, and 
does not direct me to Keycloak for another login attempt. 
The scenario is:

1) I hit default Zeppelin URL and then I am transferred to Keycloak for 
user credentials.
2) I authenticate by user name and password so am logged into Zeppelin.
3) I click on "Logout" button within Zeppelin app once I am there, then 
"Logout success" dialog box appears, and I am redirected to main Zeppelin 
screen.
`baseUrlSrv.getRestApiBase() + '/login/logout'` followed by 
`window.location = baseUrlSrv.getBase()` from **navbar.controller.js**
4) Once I am redirected to main page, default url is triggered and my user 
is logged in again without any promt for credentials because of stored token.

I also added a few lines into shiro.ini file just to try, which I thought 
might help but looks it has no effect.
```
[main]

logout.redirectUrl=http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout

[urls]
/api/login/logout = logout
```
Currently I am trying to solve this logout issue (to get actually logged 
out & directed to Keycloack for authentication with e.g. another user 
credentials...) and find a solution, but maybe someone already did that ? 
Any tips on how to log out from Zeppelin with or without code modifications 
would be very welcome !


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[SarunasG]

Github user SarunasG commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hi @andreaTP 

Having this line `/** = oidcSecurityFilter` in  [urls] section fixed 
everything, now it works totally fine! Thank You very much for such a quick 
response and all the help to get it working!!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hi @SarunasG , yes I'm using Zeppelin with Keycloak from what I can see the 
only missing bit in your configuration is:
```
/** = oidcSecurityFilter
```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[SarunasG]

Github user SarunasG commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hi @andreaTP, All,

Could anyone please help me to understand this pull request better ?
If I integrate all the changes as per this pull request and amend the 
shiro.ini file with OIDC (pac4j) Keycloak configuration settings, I do not get 
it working due to a couple of reasons:

1) If I keep `/** = authc` in [urls] uncommented I get Zeppelin's login 
prompt to enter username and password - so I am not redirected to Keycloak... 
In addition if I enter username and password which is registered in Keycloak I 
get an exception:
```
org.apache.shiro.authc.pam.UnsupportedTokenException: Realm 
[io.buji.pac4j.realm.Pac4jRealm@5e7a3fcc] does not support authentication token 
[org.apache.shiro.authc.UsernamePasswordToken - sarunas, rememberMe=false].  
Please ensure that the appropriate Realm implementation is configured correctly 
or that the realm accepts AuthenticationTokens of this type.
```

2) If I comment `/** = authc` in [urls] section out, nothing happens as 
Zeppelin's main screen is loaded without any authentication nor transferring to 
Keycloak... and it is supposed as to be-no auth required.

My shiro.ini example:

  Click to expand

[main]
securityManager.realms = $pac4jRealm
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.discoveryURI = 
http://localhost:8080/auth/realms/demo/.well-known/openid-configuration
oidcConfig.clientId = zeppelin
oidcConfig.secret = 1baabe32-50bc-49c4-9ac3-a303a9f953c5
oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
oidcClient = org.pac4j.oidc.client.OidcClient
oidcClient.configuration = $oidcConfig
clients = org.pac4j.core.client.Clients
clients.callbackUrl = http://localhost:8082/api/callback
clients.clients = $oidcClient
#requireRoleAdmin = 
org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
#requireRoleAdmin.elements = zeppelin_group
config = org.pac4j.core.config.Config
config.clients = $clients
config.authorizers = admin:$requireRoleAdmin
pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
securityManager.subjectFactory = $pac4jSubjectFactory
oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
oidcSecurityFilter.config = $config
oidcSecurityFilter.clients = oidcClient
callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.defaultUrl = http://localhost:8082
callbackFilter.config = $config
[urls]
/api/callback = callbackFilter
#/** = anon
/** = authc




-
So:
 - Has anyone managed to get Zeppelin integrated with e.g. Keycloak by 
means of shiro + pac4j oidc ?
 - Can anyone share example of their shiro.ini file if so ?
 - Is my understanding then correct that changes from this pull request are 
not enough for getting Zeppelin->pac4j-oidc->Keycloak mix working, we need some 
code adjustments in zeppelin-web project? 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
I think this issue is addressed 
https://github.com/apache/zeppelin/pull/2463 I'm not sure if having a switch 
for prod and dev is good BTW 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[1ambda]

Github user 1ambda commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@andreaTP After this PR, an error is thrown like in dev mode. To reproduce,

- `cd zeppelin-web`
- `npm install` (only once)
- `npm run dev`

Could you check it?


![image](https://user-images.githubusercontent.com/4968473/27845151-3129fb02-6167-11e7-93e2-a22f245f5c76.png)



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
thanks a lot!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[felixcheung]

Github user felixcheung commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
thanks
merging if no more comment


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
ok, now also CI is happy  :-)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@Leemoonsoo @felixcheung @1ambda 
I have had to rebase on master again after a week of no updates.
Please tell me what to do to on this to get it merged or why this is not 
going to be merged.

Thanks a lot in advance!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[necosta]

Github user necosta commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
LGTM


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[necosta]

Github user necosta commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@andreaTP , sorry, I forgot to add. You need to test on top of latest 
master. nokia:keycloak is 45 commits behind apache:master . That could explain 
why it's not failing here. Thanks.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@necosta checked again but it works for me and on CI ... I have had this 
problem once try to fetch and pull and see if this solves


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[necosta]

Github user necosta commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@andreaTP , a bit strange why Jenkins succeeds, running "mvn clean package 
-DskipTests" fails with the below errors introduced in this pull request. Can 
you have a look? Thanks.

> .../zeppelin-web/src/app/app.js
[INFO]   166:1   error  More than 1 blank line not allowed
no-multiple-empty-lines
[INFO]   180:3   error  Unexpected var, use let or const instead  no-var
[INFO]   180:27  error  Extra space before value for key 'headers'
key-spacing
[INFO]   181:5   error  Strings must use singlequote  quotes
[INFO]   181:25  error  Strings must use singlequote  quotes
[INFO]   182:5   error  Expected indentation of 2 spaces but found 4  indent
[INFO]   189:50  error  Strings must use singlequote  quotes
[INFO]   190:18  error  Strings must use singlequote  quotes
[INFO]   196:5   error  Unexpected var, use let or const instead  no-var
[INFO]   197:30  error  Expected '===' and instead saw '=='   eqeqeq
[INFO]   197:49  error  Expected '!==' and instead saw '!='   eqeqeq
[INFO]   198:7   error  Expected space or tab after '//' in comment   
spaced-comment



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[volumeint]

Github user volumeint commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
I just submitted a [pull request to 
buji-pac4j](https://github.com/bujiio/buji-pac4j/pull/62) to make the value of 
Principal.getName() configurable via shiro.ini.  We just have to wait for it to 
be accepted and released.  I will provide some documentation on integrating 
with one of the social OAuth providers after I clean up my zeppelin pull 
request.  An ounce of code can save a pound of documentation.  


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
I sincerely think that this implementation is enough to unlock the usage of 
pac4j, buji (due to the rest of updates sent there).
I think that the name parsing can be refactored later on, actual 
implementation is not optimal but "good enough" to me(i.e. I have no cases 
where it fails), in case @volumeint could you share your configuration to login 
through other oidc providers in docs in another PR?

Please let try to finalize this in this week
cc. @Leemoonsoo @1ambda @felixcheung 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[volumeint]

Github user volumeint commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
It turns out that the Pac4JPrincipal provided by buji is returning
CommonProfile.getId() and not the getUsername() or getDisplayName() values
for getName().


https://github.com/bujiio/buji-pac4j/blob/master/src/main/java/io/buji/pac4j/subject/Pac4jPrincipal.java

I believe the intent of the Principal.getName() method is to return a
human-friendly name, not a computer-friendly identifier.  I created an
issue on the Buji github project to see if they are open to changing it.

https://github.com/bujiio/buji-pac4j/issues/61


On Fri, Jun 9, 2017 at 6:50 AM, Andrea Peruffo 
wrote:

> *@andreaTP* commented on this pull request.
> --
>
> In zeppelin-web/src/components/navbar/navbar.html
> :
>
> > @@ -86,7 +86,7 @@
>   uib-tooltip="WebSocket Disconnected" 
tooltip-placement="bottom" style="margin-top: 7px; vertical-align: top">
>  
> -  {{ticket.principal}}
> +  {{ticket.screenUsername}}
>
> @volumeint  I like your proposal and
> implemented it, unfortunately it turns out that for example with Keycloak
> from "getName" I got instead the UUID
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> , or 
mute
> the thread
> 

> .
>



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
do this minimal and cleaned up version needs anything else to be worked out 
in order to be merged?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@1ambda To be honest I'm not such an expert and I'm just integrating from a 
technical POV a solution that other experts in team found.

I will love to have such documentation too, but I cannot realistically 
propose myself for writing it... sorry. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[andreaTP]

Github user andreaTP commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
@1ambda potentially yes

@khalidhuseynov thanks for pointing out a public server I can test! I will 
go through later on

B.t.w. I realized that the MVP to get this working is just upgrading shiro 
and the ui triggers,
the rest of the libraries can be provided on an ad-hoc basis (i.e. in a 
`lib` dir) without any need of packaging them into zeppelin itself, this will 
enable also users to choose the preferred version.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[1ambda]

Github user 1ambda commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
Hi, I have a question. Does this PR means, zeppelin can be OAuth client? 
For example github, google, ...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

[khalidhuseynov]

Github user khalidhuseynov commented on the issue:

https://github.com/apache/zeppelin/pull/2373
  
i've just tried to login using the config info from online demo for 
oidc-client in https://demo.c2id.com/oidc-client using modified config below
```
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.discoveryURI = https://demo.c2id.com/oidc-client/cb
oidcConfig.clientId = 000123
oidcConfig.secret = 7wKJNYFaKKg4FxUdi8_R75GGYsiWezvAbcdN1uSumE4
oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
oidcClient = org.pac4j.oidc.client.OidcClient
oidcClient.configuration = $oidcConfig
clients = org.pac4j.core.client.Clients
clients.callbackUrl = http://localhost:8080/api/callback
clients.clients = $oidcClient
requireRoleAdmin = 
org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
#requireRoleAdmin.elements = 
config = org.pac4j.core.config.Config
config.clients = $clients
#config.authorizers = admin:$requireRoleAdmin
pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
securityManager.subjectFactory = $pac4jSubjectFactory
oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
oidcSecurityFilter.config = $config
oidcSecurityFilter.clients = oidcClient
callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.defaultUrl = http://localhost:8080
callbackFilter.config = $config
securityManager.realms = $pac4jRealm

...

/api/callback = callbackFilter
#/** = anon
/** = authc
```
but getting exception
```
ERROR [2017-06-01 14:49:39,711] ({qtp764577347-20} 
LoginRestApi.java[postLogin]:111) - Exception in login: 
org.apache.shiro.authc.pam.UnsupportedTokenException: Realm 
[io.buji.pac4j.realm.Pac4jRealm@734cf9ff] does not support authentication token 
[org.apache.shiro.authc.UsernamePasswordToken - alice, rememberMe=false].  
Please ensure that the appropriate Realm implementation is configured correctly 
or that the realm accepts AuthenticationTokens of this type.
at 
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:178)
at 
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at 
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at 
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at 
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at 
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:80)
```
please let me know if you can see any apparent misconfiguration 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---