ZEPPELIN-3312 Add option to convert username to lower case

[VipinRathor]

What is this PR for?

This PR introduces a new configuration property to convert username to lower case. This is useful when the users (from external sources like AD/LDAP) are coming in with mixed-case names and Hadoop services (like Hive) can't authorize them correctly because Hadoop services recognize users only in lower case (like Linux).

Adding a new config option "zeppelin.username.force.lowercase" to handle such scenarios.

Behavior without this PR:
Access is denied to CaMel case user while running a Hive paragraph

Behavior with this PR:
User is allowed to run query when proposed configuration set to true.
By default, keeping zeppelin.username.force.lowercase=false to retain the current behavior.

What type of PR is it?

[Bug Fix]

Todos

• - Unit test

What is the Jira issue?

• https://issues.apache.org/jira/browse/ZEPPELIN-3312

How should this be tested?

• Travis CI should pass
• Manual steps to test:

1. Configure Zeppelin with Active Directory authentication
2. Login to Zeppelin as a CaMel case user
3. Try to run a simple JDBC note with a Hive query (like a select * query). This would fail with "user [CaMel] does not have proper privileges to [USE] operation" error message.
4. Now set zeppelin.username.force.lowercase=true in custom zeppelin-site.xml configuration.
5. Once again, login as CaMel case user. This time the same Hive query would run as expected. Because the username is now passed in lower case.
6. Also notice that after successful login, the login username (in the top-right corner) will be in lower case too.

Screenshots (if appropriate)

• Login as CaMel case user:

* Notice the converted username post login:

Questions:

• Does the licenses files need update? No
• Is there breaking changes for older versions? No
• Does this needs documentation? No

[VipinRathor]

@prabhjyotsingh @felixcheung @zjffdu Can you please help review? Thanks.

[VipinRathor]

This can also be tested via REST APIs like this:

1. Login and get cookie as CaMel case user:
   curl -iv -b /tmp/cookie -c /tmp/cookie --data "userName=CaMel&password=passw0rd" -X POST http://localhost:9995/api/login

2. Access a notebook or run some paragraph using the same cookie:
   curl -iv -b /tmp/cookie -c /tmp/cookie http://localhost:9995/api/notebook/2D9Q95A3K

3. Operation will be allowed with following debug log message:
   DEBUG [2018-04-12 08:33:20,274] ({qtp2146608740-19 - /api/notebook/2D9Q95A3K} SecurityUtils.java[getPrincipal]:105) - converting principal name CaMel to lower case:camel

[Tagar]

Great idea.. I had a similar jira https://issues.apache.org/jira/browse/ZEPPELIN-2886
Thanks!

[VipinRathor]

All Travis CI builds are failing for some npm error. Looks unrelated but I'm not sure. I need some help in getting this through.
CC: @prabhjyotsingh @r-kamath

[zjffdu]

LGTM @prabhjyotsingh could you help take a look at the npm error in travis ? Some other contributors also hit this same in other PR recently.

[r-kamath]

@VipinRathor can you try removing npm cache clear from .travis.yml ? otherwise add --force.

npm doc says.

All data that passes through the cache is fully verified for integrity on both insertion and extraction. Cache corruption will either trigger an error, or signal to pacote that the data must be refetched, which it will do automatically. For this reason, it should never be necessary to clear the cache for any reason other than reclaiming disk space, thus why clean now requires --force to run.
details

[r-kamath]

@VipinRathor #2928

[felixcheung]

could you elaborate more on , useful for Active Directory? say as Active Directory/LDAP are case-insensitive?
also, isn't this applicable to LDAP too?

[VipinRathor]

yes, this is very much applicable to LDAP. I'll update in the next commit.

[felixcheung]

log.warn()? since this is possibly security related.

[VipinRathor]

Can do but then there will be lot of noise at info log level. Are we sure that we want to have this?

[VipinRathor]

5/11 builds are still failing but due to unrelated errors. Tried restarting failed one multiple times. All 5 are showing different errors. We can either ignore them or fix them in separate issues.

[VipinRathor]

After few more retries, only 2/11 are failing now. Just restarted them again with the hope that those 2 will succeed too.

[Tagar]

I was thinking we should also lower-case usernames that are stored in notebook-authorization.json, when doing authorization. Otherwise users wouldn't be able to see their own notebooks when this option is enabled and they used case inconsistently when were logging into Zeppelin before.

[VipinRathor]

@Tagar, me & @prabhjyotsingh did discuss notebook authorization changes but somehow I missed to include them. I committed those changes yesterday. Now notebook authorization will also be mindful of username case conversion. Thanks for pointing out!

Today, we also discovered that similar to notebook authorization, interpreter "set permission" is another place where case conversion will be required. I've just committed those changes as well.

[prabhjyotsingh]

LGTM

[prabhjyotsingh]

https://travis-ci.org/VipinRathor/zeppelin/builds/369033290 looks flaky, works well on local.

Merging this to master and branch-0.8 if no more discussion.

[Tagar]

Can you guys please have a look at https://issues.apache.org/jira/browse/ZEPPELIN-3719 in case if this change caused that problem ?