Tony created ZEPPELIN-4341:
------------------------------
Summary: When using multiple realms queryForAuthorizationInfo fails
Key: ZEPPELIN-4341
URL: https://issues.apache.org/jira/browse/ZEPPELIN-4341
Project: Zeppelin
Issue Type: Bug
Affects Versions: 0.8.1
Reporter: Tony
I have 2 LDAP realms defined
securityManager.realms = $ldapRealmOne, $ldapRealmTwo
Users belong to one of these realms and using
org.apache.shiro.authc.pam.FirstSuccessfulStrategy allows one to fail silently
for authentication.
But when using rolesByGroup on these realms SecurityUtils#getRoles does not
catch the exception that is thrown by the realm that the user does not belong
to.
SecurityUtils#getRoles is only catching NamingException but an
{{IllegalArgumentException}} is thrown.
{{}}{{Caused by: java.lang.IllegalArgumentException: Illegal principal name:
joeuser}}
{{ at org.apache.zeppelin.realm.LdapRealm.getUserDn(LdapRealm.java:955)}}
{{ at
org.apache.zeppelin.realm.LdapRealm.getUserDnForSearch(LdapRealm.java:456)}}
{{ at org.apache.zeppelin.realm.LdapRealm.rolesFor(LdapRealm.java:353)}}
{{ at org.apache.zeppelin.realm.LdapRealm.getRoles(LdapRealm.java:330)}}
{{ at
org.apache.zeppelin.realm.LdapRealm.queryForAuthorizationInfo(LdapRealm.java:295)}}
{{ at
org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthorizationInfo(DefaultLdapRealm.java:313)}}
{{ at
org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)}}
{{ at
org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:573)}}
Thus, if a user is in the second realm defined in shirio.ini the code never
tries to fetch their roles.
shiro's doMultiRealmAuthentication method catches everything and logs the error
instead of short circuiting the realm loop.
Is this fixed in 9.x? Am I doing something wrong?
Thanks!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
