New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZEPPELIN-3312 Add option to convert username to lower case #2923
Conversation
@prabhjyotsingh @felixcheung @zjffdu Can you please help review? Thanks. |
This can also be tested via REST APIs like this:
|
Great idea.. I had a similar jira https://issues.apache.org/jira/browse/ZEPPELIN-2886 |
All Travis CI builds are failing for some npm error. Looks unrelated but I'm not sure. I need some help in getting this through. |
LGTM @prabhjyotsingh could you help take a look at the npm error in travis ? Some other contributors also hit this same in other PR recently. |
@VipinRathor can you try removing npm doc says.
|
conf/zeppelin-site.xml.template
Outdated
<property> | ||
<name>zeppelin.username.force.lowercase</name> | ||
<value>false</value> | ||
<description>Force convert username case to lower case, useful for Active Directory. Default is not to change case</description> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you elaborate more on , useful for Active Directory
? say as Active Directory/LDAP are case-insensitive
?
also, isn't this applicable to LDAP too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, this is very much applicable to LDAP. I'll update in the next commit.
@@ -91,6 +92,11 @@ public static String getPrincipal() { | |||
String principal; | |||
if (subject.isAuthenticated()) { | |||
principal = extractPrincipal(subject); | |||
if (ZeppelinServer.notebook.getConf().isUsernameForceLowerCase()) { | |||
log.debug("Converting principal name " + principal | |||
+ " to lower case:" + principal.toLowerCase()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.warn()? since this is possibly security related.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can do but then there will be lot of noise at info log level. Are we sure that we want to have this?
3833729
to
83fb686
Compare
5/11 builds are still failing but due to unrelated errors. Tried restarting failed one multiple times. All 5 are showing different errors. We can either ignore them or fix them in separate issues. |
After few more retries, only 2/11 are failing now. Just restarted them again with the hope that those 2 will succeed too. |
I was thinking we should also lower-case usernames that are stored in |
@Tagar, me & @prabhjyotsingh did discuss notebook authorization changes but somehow I missed to include them. I committed those changes yesterday. Now notebook authorization will also be mindful of username case conversion. Thanks for pointing out! Today, we also discovered that similar to notebook authorization, interpreter "set permission" is another place where case conversion will be required. I've just committed those changes as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
https://travis-ci.org/VipinRathor/zeppelin/builds/369033290 looks flaky, works well on local. Merging this to master and branch-0.8 if no more discussion. |
This PR introduces a new configuration property to convert username to lower case. This is useful when the users (from external sources like AD/LDAP) are coming in with mixed-case names and Hadoop services (like Hive) can't authorize them correctly because Hadoop services recognize users only in lower case (like Linux). Adding a new config option "zeppelin.username.force.lowercase" to handle such scenarios. Behavior without this PR: Access is denied to CaMel case user while running a Hive paragraph Behavior with this PR: User is allowed to run query when proposed configuration set to true. By default, keeping zeppelin.username.force.lowercase=false to retain the current behavior. [Bug Fix] * [ ] - Unit test * https://issues.apache.org/jira/browse/ZEPPELIN-3312 * Travis CI should pass * Manual steps to test: 1. Configure Zeppelin with Active Directory authentication 2. Login to Zeppelin as a CaMel case user 3. Try to run a simple JDBC note with a Hive query (like a select * query). This would fail with "user [CaMel] does not have proper privileges to [USE] operation" error message. 4. Now set zeppelin.username.force.lowercase=true in custom zeppelin-site.xml configuration. 5. Once again, login as CaMel case user. This time the same Hive query would run as expected. Because the username is now passed in lower case. 6. Also notice that after successful login, the login username (in the top-right corner) will be in lower case too. * Login as CaMel case user: <img width="596" alt="screen shot 2018-04-12 at 3 33 01 am" src="https://user-images.githubusercontent.com/15668387/38672744-faf00f8e-3e03-11e8-86b2-cc5981d380d2.png"> * Notice the converted username post login: <img width="806" alt="screen shot 2018-04-12 at 3 33 43 am" src="https://user-images.githubusercontent.com/15668387/38672777-108c7b66-3e04-11e8-8c97-467b4b73fe3d.png"> * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Vipin Rathor <v.rathor@gmail.com> Closes #2923 from VipinRathor/ZEPPELIN-3312 and squashes the following commits: 886acb9 [Vipin Rathor] Add lowercase username support for interpreter permission c112098 [Vipin Rathor] Remove maven cyclic refernce and use conf object directly 549f84d [Vipin Rathor] Convert username for Notebook Authorization as well f83ce9f [Vipin Rathor] Adding new test testUsernameForceLowerCase and fixing canGetPrincipalName b272299 [Vipin Rathor] Fixing Travis CI build failure due to indentation 83fb686 [Vipin Rathor] Incorporating PR review suggestion to zeppelin-site.xml-template 7f9b4df [Vipin Rathor] Add support to force username case conversion Change-Id: Id13a5eca9718063cb629454a9d3d2fc6f3cfb663 (cherry picked from commit b89c9ad) Signed-off-by: Prabhjyot Singh <prabhjyotsingh@gmail.com> # Conflicts: # zeppelin-server/src/main/java/org/apache/zeppelin/utils/SecurityUtils.java # zeppelin-server/src/test/java/org/apache/zeppelin/security/SecurityUtilsTest.java
This PR introduces a new configuration property to convert username to lower case. This is useful when the users (from external sources like AD/LDAP) are coming in with mixed-case names and Hadoop services (like Hive) can't authorize them correctly because Hadoop services recognize users only in lower case (like Linux). Adding a new config option "zeppelin.username.force.lowercase" to handle such scenarios. Behavior without this PR: Access is denied to CaMel case user while running a Hive paragraph Behavior with this PR: User is allowed to run query when proposed configuration set to true. By default, keeping zeppelin.username.force.lowercase=false to retain the current behavior. [Bug Fix] * [ ] - Unit test * https://issues.apache.org/jira/browse/ZEPPELIN-3312 * Travis CI should pass * Manual steps to test: 1. Configure Zeppelin with Active Directory authentication 2. Login to Zeppelin as a CaMel case user 3. Try to run a simple JDBC note with a Hive query (like a select * query). This would fail with "user [CaMel] does not have proper privileges to [USE] operation" error message. 4. Now set zeppelin.username.force.lowercase=true in custom zeppelin-site.xml configuration. 5. Once again, login as CaMel case user. This time the same Hive query would run as expected. Because the username is now passed in lower case. 6. Also notice that after successful login, the login username (in the top-right corner) will be in lower case too. * Login as CaMel case user: <img width="596" alt="screen shot 2018-04-12 at 3 33 01 am" src="https://user-images.githubusercontent.com/15668387/38672744-faf00f8e-3e03-11e8-86b2-cc5981d380d2.png"> * Notice the converted username post login: <img width="806" alt="screen shot 2018-04-12 at 3 33 43 am" src="https://user-images.githubusercontent.com/15668387/38672777-108c7b66-3e04-11e8-8c97-467b4b73fe3d.png"> * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Vipin Rathor <v.rathor@gmail.com> Closes apache#2923 from VipinRathor/ZEPPELIN-3312 and squashes the following commits: 886acb9 [Vipin Rathor] Add lowercase username support for interpreter permission c112098 [Vipin Rathor] Remove maven cyclic refernce and use conf object directly 549f84d [Vipin Rathor] Convert username for Notebook Authorization as well f83ce9f [Vipin Rathor] Adding new test testUsernameForceLowerCase and fixing canGetPrincipalName b272299 [Vipin Rathor] Fixing Travis CI build failure due to indentation 83fb686 [Vipin Rathor] Incorporating PR review suggestion to zeppelin-site.xml-template 7f9b4df [Vipin Rathor] Add support to force username case conversion Change-Id: Id13a5eca9718063cb629454a9d3d2fc6f3cfb663
This PR introduces a new configuration property to convert username to lower case. This is useful when the users (from external sources like AD/LDAP) are coming in with mixed-case names and Hadoop services (like Hive) can't authorize them correctly because Hadoop services recognize users only in lower case (like Linux). Adding a new config option "zeppelin.username.force.lowercase" to handle such scenarios. Behavior without this PR: Access is denied to CaMel case user while running a Hive paragraph Behavior with this PR: User is allowed to run query when proposed configuration set to true. By default, keeping zeppelin.username.force.lowercase=false to retain the current behavior. [Bug Fix] * [ ] - Unit test * https://issues.apache.org/jira/browse/ZEPPELIN-3312 * Travis CI should pass * Manual steps to test: 1. Configure Zeppelin with Active Directory authentication 2. Login to Zeppelin as a CaMel case user 3. Try to run a simple JDBC note with a Hive query (like a select * query). This would fail with "user [CaMel] does not have proper privileges to [USE] operation" error message. 4. Now set zeppelin.username.force.lowercase=true in custom zeppelin-site.xml configuration. 5. Once again, login as CaMel case user. This time the same Hive query would run as expected. Because the username is now passed in lower case. 6. Also notice that after successful login, the login username (in the top-right corner) will be in lower case too. * Login as CaMel case user: <img width="596" alt="screen shot 2018-04-12 at 3 33 01 am" src="https://user-images.githubusercontent.com/15668387/38672744-faf00f8e-3e03-11e8-86b2-cc5981d380d2.png"> * Notice the converted username post login: <img width="806" alt="screen shot 2018-04-12 at 3 33 43 am" src="https://user-images.githubusercontent.com/15668387/38672777-108c7b66-3e04-11e8-8c97-467b4b73fe3d.png"> * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Vipin Rathor <v.rathor@gmail.com> Closes apache#2923 from VipinRathor/ZEPPELIN-3312 and squashes the following commits: 886acb9 [Vipin Rathor] Add lowercase username support for interpreter permission c112098 [Vipin Rathor] Remove maven cyclic refernce and use conf object directly 549f84d [Vipin Rathor] Convert username for Notebook Authorization as well f83ce9f [Vipin Rathor] Adding new test testUsernameForceLowerCase and fixing canGetPrincipalName b272299 [Vipin Rathor] Fixing Travis CI build failure due to indentation 83fb686 [Vipin Rathor] Incorporating PR review suggestion to zeppelin-site.xml-template 7f9b4df [Vipin Rathor] Add support to force username case conversion Change-Id: Id13a5eca9718063cb629454a9d3d2fc6f3cfb663 (cherry picked from commit b89c9ad) Signed-off-by: Prabhjyot Singh <prabhjyotsingh@gmail.com>
This PR introduces a new configuration property to convert username to lower case. This is useful when the users (from external sources like AD/LDAP) are coming in with mixed-case names and Hadoop services (like Hive) can't authorize them correctly because Hadoop services recognize users only in lower case (like Linux). Adding a new config option "zeppelin.username.force.lowercase" to handle such scenarios. Behavior without this PR: Access is denied to CaMel case user while running a Hive paragraph Behavior with this PR: User is allowed to run query when proposed configuration set to true. By default, keeping zeppelin.username.force.lowercase=false to retain the current behavior. [Bug Fix] * [ ] - Unit test * https://issues.apache.org/jira/browse/ZEPPELIN-3312 * Travis CI should pass * Manual steps to test: 1. Configure Zeppelin with Active Directory authentication 2. Login to Zeppelin as a CaMel case user 3. Try to run a simple JDBC note with a Hive query (like a select * query). This would fail with "user [CaMel] does not have proper privileges to [USE] operation" error message. 4. Now set zeppelin.username.force.lowercase=true in custom zeppelin-site.xml configuration. 5. Once again, login as CaMel case user. This time the same Hive query would run as expected. Because the username is now passed in lower case. 6. Also notice that after successful login, the login username (in the top-right corner) will be in lower case too. * Login as CaMel case user: <img width="596" alt="screen shot 2018-04-12 at 3 33 01 am" src="https://user-images.githubusercontent.com/15668387/38672744-faf00f8e-3e03-11e8-86b2-cc5981d380d2.png"> * Notice the converted username post login: <img width="806" alt="screen shot 2018-04-12 at 3 33 43 am" src="https://user-images.githubusercontent.com/15668387/38672777-108c7b66-3e04-11e8-8c97-467b4b73fe3d.png"> * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Vipin Rathor <v.rathor@gmail.com> Closes apache#2923 from VipinRathor/ZEPPELIN-3312 and squashes the following commits: 886acb9 [Vipin Rathor] Add lowercase username support for interpreter permission c112098 [Vipin Rathor] Remove maven cyclic refernce and use conf object directly 549f84d [Vipin Rathor] Convert username for Notebook Authorization as well f83ce9f [Vipin Rathor] Adding new test testUsernameForceLowerCase and fixing canGetPrincipalName b272299 [Vipin Rathor] Fixing Travis CI build failure due to indentation 83fb686 [Vipin Rathor] Incorporating PR review suggestion to zeppelin-site.xml-template 7f9b4df [Vipin Rathor] Add support to force username case conversion Change-Id: Id13a5eca9718063cb629454a9d3d2fc6f3cfb663
This PR introduces a new configuration property to convert username to lower case. This is useful when the users (from external sources like AD/LDAP) are coming in with mixed-case names and Hadoop services (like Hive) can't authorize them correctly because Hadoop services recognize users only in lower case (like Linux). Adding a new config option "zeppelin.username.force.lowercase" to handle such scenarios. Behavior without this PR: Access is denied to CaMel case user while running a Hive paragraph Behavior with this PR: User is allowed to run query when proposed configuration set to true. By default, keeping zeppelin.username.force.lowercase=false to retain the current behavior. [Bug Fix] * [ ] - Unit test * https://issues.apache.org/jira/browse/ZEPPELIN-3312 * Travis CI should pass * Manual steps to test: 1. Configure Zeppelin with Active Directory authentication 2. Login to Zeppelin as a CaMel case user 3. Try to run a simple JDBC note with a Hive query (like a select * query). This would fail with "user [CaMel] does not have proper privileges to [USE] operation" error message. 4. Now set zeppelin.username.force.lowercase=true in custom zeppelin-site.xml configuration. 5. Once again, login as CaMel case user. This time the same Hive query would run as expected. Because the username is now passed in lower case. 6. Also notice that after successful login, the login username (in the top-right corner) will be in lower case too. * Login as CaMel case user: <img width="596" alt="screen shot 2018-04-12 at 3 33 01 am" src="https://user-images.githubusercontent.com/15668387/38672744-faf00f8e-3e03-11e8-86b2-cc5981d380d2.png"> * Notice the converted username post login: <img width="806" alt="screen shot 2018-04-12 at 3 33 43 am" src="https://user-images.githubusercontent.com/15668387/38672777-108c7b66-3e04-11e8-8c97-467b4b73fe3d.png"> * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Vipin Rathor <v.rathor@gmail.com> Closes apache#2923 from VipinRathor/ZEPPELIN-3312 and squashes the following commits: 886acb9 [Vipin Rathor] Add lowercase username support for interpreter permission c112098 [Vipin Rathor] Remove maven cyclic refernce and use conf object directly 549f84d [Vipin Rathor] Convert username for Notebook Authorization as well f83ce9f [Vipin Rathor] Adding new test testUsernameForceLowerCase and fixing canGetPrincipalName b272299 [Vipin Rathor] Fixing Travis CI build failure due to indentation 83fb686 [Vipin Rathor] Incorporating PR review suggestion to zeppelin-site.xml-template 7f9b4df [Vipin Rathor] Add support to force username case conversion Change-Id: Id13a5eca9718063cb629454a9d3d2fc6f3cfb663 (cherry picked from commit b89c9ad) Signed-off-by: Prabhjyot Singh <prabhjyotsingh@gmail.com> # Conflicts: # zeppelin-server/src/main/java/org/apache/zeppelin/utils/SecurityUtils.java # zeppelin-server/src/test/java/org/apache/zeppelin/security/SecurityUtilsTest.java
Can you guys please have a look at https://issues.apache.org/jira/browse/ZEPPELIN-3719 in case if this change caused that problem ? |
What is this PR for?
This PR introduces a new configuration property to convert username to lower case. This is useful when the users (from external sources like AD/LDAP) are coming in with mixed-case names and Hadoop services (like Hive) can't authorize them correctly because Hadoop services recognize users only in lower case (like Linux).
Adding a new config option "zeppelin.username.force.lowercase" to handle such scenarios.
Behavior without this PR:
Access is denied to CaMel case user while running a Hive paragraph
Behavior with this PR:
User is allowed to run query when proposed configuration set to true.
By default, keeping zeppelin.username.force.lowercase=false to retain the current behavior.
What type of PR is it?
[Bug Fix]
Todos
What is the Jira issue?
How should this be tested?
Screenshots (if appropriate)
* Notice the converted username post login:
Questions: