-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZEPPELIN-3664: ActiveDirectoryGroupRealm returns "cn" instead of "userPrincipalName" for note permission auto completion #3098
base: master
Are you sure you want to change the base?
Conversation
* Return "userPrincipalName" from ActiveDirectoryGroupRealm when searching for users. * Added unit test for search functionality.
@FSteinle our team use authorization with parameter BTW, |
@mebelousov: Basically this is not related to emails but to the userPrincipalName. The principalSuffix parameter makes sense, but doesn't address this issue. In our case we wanna keep the suffix to be sure it's really unique. Not all users of the organization are in the same AD branch. |
\cc @prabhjyotsingh |
@@ -265,7 +265,7 @@ protected AuthorizationInfo buildAuthorizationInfo(Set<String> roleNames) { | |||
NamingEnumeration ae = attrs.getAll(); | |||
while (ae.hasMore()) { | |||
Attribute attr = (Attribute) ae.next(); | |||
if (attr.getID().toLowerCase().equals("cn")) { | |||
if (attr.getID().toLowerCase().equals("userprincipalname")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we make this (cn/userprincipalname/or any other parameter) configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my point of view "cn" just doesn't work. So I don't see a need having this option.
When adding a new notebook also the upn is set as owner (or also for readers/writers/runners depending on the config). So why should one use the "cn" here when searching?
It also actually is the upn we're searching for in this method ("userPrincipalName=" + containString + "").
But maybe I do not have the full picture...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@FSteinle Could you update the PR title ? |
What is this PR for?
Fix for https://issues.apache.org/jira/browse/ZEPPELIN-3664
Return the "userPrincipalName" instead of the "cn" (common name) from ActiveDirectoryGroupRealm when searching users to set note permissions.
What type of PR is it?
[Bug Fix]
Todos
What is the Jira issue?
How should this be tested?
Steps to reproduce
Expected result
Actual result
Screenshots
Questions: