[ZEPPELIN-3526] Zeppelin auth mechanisms (LDAP or password based) should be mutually exclusive - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.7.3
Fix Version/s: 0.8.0
Component/s: None
Labels:
None

Description

Problem:
When any external authentication (like LDAP/AD) is enabled for Zeppelin, the default password-based authentication could still be configured in addition to that. This makes space for backdoor in Zeppelin where user can still get in using the local username/password.

Workaround:
Currently, the workaround is to make sure that [users] is removed from shiro.ini to stop anyone logging using local username/password.

Proposed Solution:
Zeppelin shouldn't allow specifying [users] section in shiro.ini when it is configured to authenticate with LDAP/AD.

Attachments

Issue Links

links to

GitHub Pull Request #3003

GitHub Pull Request #3011

Activity

People

Assignee:: Prabhjyot Singh

Reporter:: Prabhjyot Singh

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Jun/18 05:25

Updated:: 08/Jun/18 05:41

Resolved:: 07/Jun/18 10:03