Repository: zeppelin Updated Branches: refs/heads/branch-0.7 f28e58492 -> b7fa12c22
[ZEPPELIN-2657] Add group search filter option to LdapRealm ### What is this PR for? Problem: While performing LDAP authentication, current Shiro module does a group=* search while trying to get group-to-role mapping for any LDAP user. On a large LDAP directory, this is a serious problem which might render RolesByGroup feature not working as expected. Fix: Currently while doing LDAP authentication, there is no available option to limit the group search results to the only groups that user is interested in. This bug addresses the same and adds group search filter to Shiro configuration for LdapRealm which will allow user to define a search filter and limit the group search results. ### What type of PR is it? Improvement ### What is the Jira issue? * [ZEPPELIN-2657] https://issues.apache.org/jira/browse/ZEPPELIN-2657 ### How should this be tested? 1. Use org.apache.zeppelin.realm.LdapRealm as Shiro realm 2. In the shiro_ini configruation, define a group search filter like this: ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(member={0})) or ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(cn=zeppelin-users*)) 3. Also define other LdapRealm parameters as necessary like rolesByGroup etc. 4. When an LDAP user, who is part of the group that matches filter above, logs in, then the roles are applied. If the LDAP user is not part these defined groups, then the roles are not applied. ### Questions: * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A Author: Vipin Rathor <v.rat...@gmail.com> Closes #2414 from VipinRathor/ZEPPELIN-2657 and squashes the following commits: ba0412c8b [Vipin Rathor] ZEPPELIN-2657 Add group search filter option to LdapRealm (cherry picked from commit a5ca2e5185012d336ae794ce51935c80f9540d68) Signed-off-by: Prabhjyot Singh <prabhjyotsi...@gmail.com> Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/b7fa12c2 Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/b7fa12c2 Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/b7fa12c2 Branch: refs/heads/branch-0.7 Commit: b7fa12c225e7bd6f1665f9a870ba9dae73536440 Parents: f28e584 Author: Vipin Rathor <v.rat...@gmail.com> Authored: Thu Jun 15 12:13:21 2017 -0700 Committer: Prabhjyot Singh <prabhjyotsi...@gmail.com> Committed: Thu Jun 22 10:42:54 2017 +0530 ---------------------------------------------------------------------- .../org/apache/zeppelin/realm/LdapRealm.java | 26 +++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/b7fa12c2/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java index 97c223c..dc10749 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java @@ -101,6 +101,8 @@ import javax.naming.ldap.PagedResultsControl; * # ability set searchScopes subtree (default), one, base * ldapRealm.userSearchScope = subtree; * ldapRealm.groupSearchScope = subtree; + * ldapRealm.userSearchFilter = (&(objectclass=person)(sAMAccountName={0})) + * ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(member={0})) * ldapRealm.memberAttributeValueTemplate=cn={0},ou=people,dc=hadoop,dc=apache, * dc=org * # enable support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator @@ -160,6 +162,7 @@ public class LdapRealm extends JndiLdapRealm { private Pattern principalPattern = Pattern.compile(DEFAULT_PRINCIPAL_REGEX); private String userDnTemplate = "{0}"; private String userSearchFilter = null; + private String groupSearchFilter = null; private String userSearchAttributeTemplate = "{0}"; private String userSearchScope = "subtree"; private String groupSearchScope = "subtree"; @@ -356,9 +359,22 @@ public class LdapRealm extends JndiLdapRealm { } } } else { + // Default group search filter + String searchFilter = String.format("(objectclass=%1$s)", groupObjectClass); + + // If group search filter is defined in Shiro config, then use it + if (groupSearchFilter != null) { + Matcher matchedPrincipal = matchPrincipal(userDn); + searchFilter = expandTemplate(groupSearchFilter, matchedPrincipal); + //searchFilter = String.format("%1$s", groupSearchFilter); + } + if (log.isDebugEnabled()) { + log.debug("Group SearchBase|SearchFilter|GroupSearchScope: " + getGroupSearchBase() + + "|" + searchFilter + "|" + groupSearchScope); + } searchResultEnum = ldapCtx.search( getGroupSearchBase(), - "objectClass=" + groupObjectClass, + searchFilter, searchControls); while (searchResultEnum != null && searchResultEnum.hasMore()) { // searchResults contains all the groups in search scope @@ -737,6 +753,14 @@ public class LdapRealm extends JndiLdapRealm { this.userSearchFilter = (filter == null ? null : filter.trim()); } + public String getGroupSearchFilter() { + return groupSearchFilter; + } + + public void setGroupSearchFilter(final String filter) { + this.groupSearchFilter = (filter == null ? null : filter.trim()); + } + public boolean getUserLowerCase() { return userLowerCase; }
