zeppelin
zeppelin copied to clipboard
apache
ZEPPELIN-3664: ActiveDirectoryGroupRealm returns "cn" instead of "userPrincipalName" for note permission auto completion
- Return "userPrincipalName" from ActiveDirectoryGroupRealm when searching for users.
- Added unit test for search functionality.
What is this PR for?
Fix for https://issues.apache.org/jira/browse/ZEPPELIN-3664 Return the "userPrincipalName" instead of the "cn" (common name) from ActiveDirectoryGroupRealm when searching users to set note permissions.
What type of PR is it?
[Bug Fix]
Todos
What is the Jira issue?
- https://issues.apache.org/jira/browse/ZEPPELIN-3664
How should this be tested?
Steps to reproduce
- Configure connection to AD with org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
- Login to Zeppelin
- Create new notebook
- Edit the permissions and start typing the name of a AD user to one of the permission fields
- Select one of the suggestions and save
- Check the content of "notebook-authorization.json"
Expected result
- The "userPrincipalName" of the user is shown in the suggestion box and written to "notebook-authorization.json" (see screenshot attached).
Actual result
- The "cn" (common name) of the user is shown in the suggestion box and written to "notebook-authorization.json".
Screenshots
Questions:
- Does the licenses files need update? - No
- Is there breaking changes for older versions? - No
- Does this needs documentation? - No
@fsteinle our team use authorization with parameter
activeDirectoryRealm.principalSuffix = @company.com
Thus email is not necessary. Could it possible to use mailNickName, for example?
BTW, userPrincipalName is good.
@mebelousov: Basically this is not related to emails but to the userPrincipalName. The principalSuffix parameter makes sense, but doesn't address this issue. In our case we wanna keep the suffix to be sure it's really unique. Not all users of the organization are in the same AD branch.
