New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZEPPELIN-2161 Nested Group Support in LdapRealm for AD #2062
Conversation
any idea why the build has failed? I don't get the error. |
Thanks @weand for improvmenet. |
@@ -128,6 +128,8 @@ | |||
private static final String SUBJECT_USER_GROUPS = "subject.userGroups"; | |||
private static final String MEMBER_URL = "memberUrl"; | |||
private static final String POSIX_GROUP = "posixGroup"; | |||
private static final String MATCHING_RULE_IN_CHAIN_FORMAT = | |||
"(&(objectClass=%s)(%s:1.2.840.113556.1.4.1941:=%s))"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A comment about this magic number would be helpful in future debug. Also if you can specify the doc URL would be helpful.
I understand its This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, comment added.
Can you update the doc (https://github.com/apache/zeppelin/blob/master/docs/security/shiroauthentication.md#ldap) as well, so user reading http://zeppelin.apache.org/docs/0.7.0/security/shiroauthentication.html#ldap can leverage this feature. |
@prabhjyotsingh There isn't any documentation for org.apache.zeppelin.realm.LdapRealm yet. @Leemoonsoo Any special reason why LdapRealm wasn't documented in 0.7.0 yet? Can anyone help me why the build is failing. I don't see, why these tests now fail, they have no obvious reference to changes of this PR: |
@weand So far, we have a section for LdapRealm in shiroauthentication.md.
This problem has been fixed in current master branch. Could you rebase or merge master and see if test passes? |
@Leemoonsoo Rebased and green now. Thanks for your help. Regarding docu: Should we document two LDAP Realms, or should we mark the old one deprecated? Because of that, I would prefer an separate Issue for the missing piece of documentation. |
Okay, LGTM. Regarding documentation, if LdapGroupRealm and LdapRealm are superset/subset relation, we can mark one deprecated. If not, i think we should have document two LDAP Realms. |
### What is this PR for? A common use case in LDAP/AD setup is the hierarchical structuring of groups - a.k.a. adding groups to other groups. Such nesting groups can help reduce the number of roles that need to be managed. Current zeppelin realm implementations doesn't have support for looking up memberships throughout nested group structures. E.g. consider the following nested group scenario: ``` acme_employees \__department_a \__sub_department_x ``` User 'bob' is in Group 'sub_department_x'. Notebook 'note1' has a Reader Role assignment for 'department_a' or 'acme_employees'. Then access must be granted for 'bob' on 'note1'. In AD enviroments this scenarios can be efficiently implemented using the so called LDAP_MATCHING_RULE_IN_CHAIN operator '1.2.840.113556.1.4.1941'. This PR introduces a property 'groupSearchEnableMatchingRuleInChain' to org.apache.zeppelin.realm.LdapRealm which defaults to false. If enabled, all roles of potential nested group hierarchies will be resolved using the LDAP_MATCHING_RULE_IN_CHAIN operator. ### What type of PR is it? Improvement ### Todos - ### What is the Jira issue? [ZEPPELIN-2161] ### How should this be tested? Set groupSearchEnableMatchingRuleInChain = true for the ldap realm. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? n * Is there breaking changes for older versions? n * Does this needs documentation? y Author: Andreas Weise <a.weise@avm.de> Closes #2062 from weand/ZEPPELIN-2161 and squashes the following commits: c08d015 [Andreas Weise] ZEPPELIN-2161 Nested group support in LdapRealm for AD (cherry picked from commit b9fa42d) Signed-off-by: Lee moon soo <moon@apache.org>
### What is this PR for? A common use case in LDAP/AD setup is the hierarchical structuring of groups - a.k.a. adding groups to other groups. Such nesting groups can help reduce the number of roles that need to be managed. Current zeppelin realm implementations doesn't have support for looking up memberships throughout nested group structures. E.g. consider the following nested group scenario: ``` acme_employees \__department_a \__sub_department_x ``` User 'bob' is in Group 'sub_department_x'. Notebook 'note1' has a Reader Role assignment for 'department_a' or 'acme_employees'. Then access must be granted for 'bob' on 'note1'. In AD enviroments this scenarios can be efficiently implemented using the so called LDAP_MATCHING_RULE_IN_CHAIN operator '1.2.840.113556.1.4.1941'. This PR introduces a property 'groupSearchEnableMatchingRuleInChain' to org.apache.zeppelin.realm.LdapRealm which defaults to false. If enabled, all roles of potential nested group hierarchies will be resolved using the LDAP_MATCHING_RULE_IN_CHAIN operator. ### What type of PR is it? Improvement ### Todos - ### What is the Jira issue? [ZEPPELIN-2161] ### How should this be tested? Set groupSearchEnableMatchingRuleInChain = true for the ldap realm. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? n * Is there breaking changes for older versions? n * Does this needs documentation? y Author: Andreas Weise <a.weise@avm.de> Closes apache#2062 from weand/ZEPPELIN-2161 and squashes the following commits: c08d015 [Andreas Weise] ZEPPELIN-2161 Nested group support in LdapRealm for AD (cherry picked from commit b9fa42d) Signed-off-by: Lee moon soo <moon@apache.org>
What is this PR for?
A common use case in LDAP/AD setup is the hierarchical structuring of
groups - a.k.a. adding groups to other groups. Such nesting groups can
help reduce the number of roles that need to be managed.
Current zeppelin realm implementations doesn't have support for looking
up memberships throughout nested group structures.
E.g. consider the following nested group scenario:
User 'bob' is in Group 'sub_department_x'.
Notebook 'note1' has a Reader Role assignment for 'department_a' or
'acme_employees'.
Then access must be granted for 'bob' on 'note1'.
In AD enviroments this scenarios can be efficiently implemented using
the so called LDAP_MATCHING_RULE_IN_CHAIN operator
'1.2.840.113556.1.4.1941'.
This PR introduces a property 'groupSearchEnableMatchingRuleInChain' to
org.apache.zeppelin.realm.LdapRealm which defaults to false. If enabled,
all roles of potential nested group hierarchies will be resolved using
the LDAP_MATCHING_RULE_IN_CHAIN operator.
What type of PR is it?
Improvement
Todos
What is the Jira issue?
[ZEPPELIN-2161]
How should this be tested?
Set groupSearchEnableMatchingRuleInChain = true for the ldap realm.
Screenshots (if appropriate)
Questions: