[ZEPPELIN-3719] LdapGroupRealm allows to login with empty password - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Blocker
Resolution: Unresolved
Affects Version/s: 0.8.0, 0.8.1, 0.9.0
Fix Version/s: None
Component/s: security
Labels:
None

Description

We use LDAPGroupRealm for authentication.

Not sure how we didn't notice, but just entering empty password allows to login
If we enter an incorrect password, it doesn't let to login as expected.
But empty password field somehow treated separately and let's to login in any case.

Hopefully it's just a misconfiguration on our side, but if it's not, it looks like a big security hole.

Looking at the code, there should be an exception here

https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/LoginRestApi.java#L165

but it doesn't happen.

Changed log4j logging to DEBUG but still don't see any traces why this happens.

Can somebody else please try to see if they can reproduce?

Attachments

Activity

People

Assignee:: Vipin Rathor

Reporter:: Ruslan Dautkhanov

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 15/Aug/18 18:04

Updated:: 29/Aug/18 00:33