Github user SarunasG commented on the issue:
https://github.com/apache/zeppelin/pull/2373
Hi @andreaTP, All,
Could anyone please help me to understand this pull request better ?
If I integrate all the changes as per this pull request and amend the
shiro.ini file with OIDC (pac4j) Keycloak configuration settings, I do not get
it working due to a couple of reasons:
1) If I keep `/** = authc` in [urls] uncommented I get Zeppelin's login
prompt to enter username and password - so I am not redirected to Keycloak...
In addition if I enter username and password which is registered in Keycloak I
get an exception:
```
org.apache.shiro.authc.pam.UnsupportedTokenException: Realm
[io.buji.pac4j.realm.Pac4jRealm@5e7a3fcc] does not support authentication token
[org.apache.shiro.authc.UsernamePasswordToken - sarunas, rememberMe=false].
Please ensure that the appropriate Realm implementation is configured correctly
or that the realm accepts AuthenticationTokens of this type.
```
2) If I comment `/** = authc` in [urls] section out, nothing happens as
Zeppelin's main screen is loaded without any authentication nor transferring to
Keycloak... and it is supposed as to be-no auth required.
My shiro.ini example:
<details>
<summary>Click to expand</summary>
<p><pre>
[main]
securityManager.realms = $pac4jRealm
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.discoveryURI =
http://localhost:8080/auth/realms/demo/.well-known/openid-configuration
oidcConfig.clientId = zeppelin
oidcConfig.secret = 1baabe32-50bc-49c4-9ac3-a303a9f953c5
oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
oidcClient = org.pac4j.oidc.client.OidcClient
oidcClient.configuration = $oidcConfig
clients = org.pac4j.core.client.Clients
clients.callbackUrl = http://localhost:8082/api/callback
clients.clients = $oidcClient
#requireRoleAdmin =
org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
#requireRoleAdmin.elements = zeppelin_group
config = org.pac4j.core.config.Config
config.clients = $clients
config.authorizers = admin:$requireRoleAdmin
pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
securityManager.subjectFactory = $pac4jSubjectFactory
oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
oidcSecurityFilter.config = $config
oidcSecurityFilter.clients = oidcClient<br>
callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.defaultUrl = http://localhost:8082
callbackFilter.config = $config<br>
[urls]
/api/callback = callbackFilter
#/** = anon
/** = authc
</pre></p>
</details>
-----------------
So:
- Has anyone managed to get Zeppelin integrated with e.g. Keycloak by
means of shiro + pac4j oidc ?
- Can anyone share example of their shiro.ini file if so ?
- Is my understanding then correct that changes from this pull request are
not enough for getting Zeppelin->pac4j-oidc->Keycloak mix working, we need some
code adjustments in zeppelin-web project?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
