Zeppelin 用LDAP做認證機制

上一篇提到的Zeppelin 0.6的發佈,開始支援認證登入機制
可以針對一個notebook做ACL管理,支援該note允許哪些帳號做讀寫

Zeppelin當常使用Shiro這個套件進行登入驗證管理
http://shiro.apache.org/java-authentication-guide.html
可以透過$ZEPPELIN_HOME/conf/shiro.ini進行相關設定

初始的時候已經帶了一些測試用帳號,但是當前使用無需驗證的anon模式,需要改成authc模式才能開始進行驗證

[users]
#...
admin = password1
user1 = password2, role1, role2
user2 = password3, role3
user3 = password4, role2

[roles]
role1 = *
role2 = *
role3 = *
#/** = anon
/** = authc

改了設定之後看到Shiro裏面也支援AD跟LDAP的帳號密碼驗證
很高興進行了設定

 ### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.example.com:389
ldapRealm.userDnTemplate = uid={0},ou=user,dc=example,dc=com
ldapRealm.contextFactory.authenticationMechanism = SIMPLE

LDAP上的帳號密碼可以使用了,但是出現了一個問題
Shiro可以利用role這個設定去進行群組的管理,但是我設定好LDAP之後LDAP帳號既然沒有bind到他的group
登入時只有user資訊沒有group資訊

從設定檔又不知道要如何去設定role到LDAP帳號上
稍微研究了一下source code 才發現問題出現在LDAP的設定檔上
https://github.com/apache/zeppelin/blob/24922e1036c5e410b676fd9b513d008cb046424e/zeppelin-server/src/main/java/org/apache/zeppelin/server/LdapGroupRealm.java#L64
Zeppelin目前是透過groupOfNames這個objectClass去bind使用者group
但是為了提供ssh登入資訊,我的LDAP上使用的是posixGroup作為user group的objectClass

為了解決這個問題我得修正我的LDAP架構
新的LDAP架構如下

上面一共有四個角色
- root:用來管理ldap
- user:用來存放user的設定 使用account跟posixAccount兩個objectClass
- group:用來讓Zeppelin存取,使用groupOfName這個objectClass
- osgroup: 提供OS使用的group訊息,使用posixGroup

新的LDAP架構設定好之後,還需要把LDAP上的group設定到shiro.ini的roles裡面去

[roles]
role1 = *
role2 = *
role3 = *
dev1 = *

如此一來Zeppelin就能正確的讀取LDAP User所屬的group了

下面附上完整個shiro.ini還有LDAP的ldif檔

conf/shiro.ini
[users]
# List of users with their password allowed to access Zeppelin.

# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections

admin = password1
user1 = password2, role1, role2
user2 = password3, role3
user3 = password4, role2

# Sample LDAP configuration, for user Authentication, currently tested for single Realm

[main]
### A sample for configuring LDAP Directory Realm

ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):

ldapRealm.contextFactory.environment[ldap.searchBase] = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.example.com:389
ldapRealm.userDnTemplate = uid={0},ou=user,dc=example,dc=com
ldapRealm.contextFactory.authenticationMechanism = SIMPLE

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines

#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager

#securityManager.cacheManager = $cacheManager


securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour

securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
dev1 = *

[urls]
# anon means the access is anonymous.

# authcBasic means Basic Auth Security

# authc means Form based Auth Security

# To enfore security, comment the line below and uncomment the next one

/api/version = anon
#/** = anon

/** = authc
root.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example-LDAP

dn: cn=root,dc=example,dc=com
objectClass: organizationalRole
cn: root

dn: ou=user,dc=example,dc=com
ou: user
objectClass: organizationalUnit
description: user

dn: ou=group,dc=example,dc=com
ou: group
objectClass: organizationalUnit
description: group of application

dn: ou=osgroup,dc=example,dc=com
ou: osgroup
objectClass: organizationalUnit
description: group of os
user.ldif
dn: uid=taro,ou=user,dc=example,dc=com
objectClass: account
objectClass: posixAccount
uid: taro
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxx
uidNumber: 3491004
gidNumber: 3491003
cn: taro
homeDirectory: /home/taro
loginShell: /bin/bash
group.ldif
dn: cn=dev1,ou=group,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: dev1
member: uid=taro,ou=user,dc=example,dc=com
osgroup.ldif
dn: cn=dev1,ou=osgroup,dc=example,dc=com
objectClass: posixGroup
cn: dev1
gidNumber: 3491003
comments powered by Disqus