zeppelin/docs/security
Prabhjyot Singh 24922e1036 [Zeppelin 946] Permissions not honoring group
### What is this PR for?
Error:
Insufficient privileges to write notebook.
Allowed users or roles: [admin, zeppelinWrite]
But the user randerson belongs to: [randerson]
It's seems clear that user randerson isn't mapped to any roles, or groups (even though he of course is a member of the zeppelinWrite group in AD and as a result also part of the local admin Role). A TCPDUMP reveals that during login, all of my group memberships are in fact returned during the ldap bind operation. However, when I attempt to modify a notebook, a call is never made to AD, to pull back my group memberships. It doesn't seem to look at my local group memberships (/etc/group) either.

### What type of PR is it?
[Bug Fix]

### Todos
* [x] - fix for permissions not honoring group
* [x] - read roles from shiro.ini
* [x] - at times group name was displaying instead of user/principal name.
* [x] - doc

### What is the Jira issue?
[ZEPPELIN-946](https://issues.apache.org/jira/browse/ZEPPELIN-946)

### Screenshots/How should this be tested?
Use one of the following setting for IniRealm, LDAP or AD in shiro.ini

    [main]
    admin = password1, admin
    finance1 = finance1, finance
    finance2 = finance2, finance
    hr1 = hr1, hr
    hr2 = hr2, hr

    activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
    activeDirectoryRealm.systemUsername = userNameA
    activeDirectoryRealm.systemPassword = passwordA
    activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
    activeDirectoryRealm.url = ldap://ldap.test.com:389
    activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
    activeDirectoryRealm.authorizationCachingEnabled = false

    ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
    # search base for ldap groups (only relevant for LdapGroupRealm):
    ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
    ldapRealm.contextFactory.url = ldap://ldap.test.com:389
    ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
    ldapRealm.contextFactory.authenticationMechanism = SIMPLE

    [roles]
    admin = *
    hr = *
    finance = *
    group1 = *

    [urls]
    /api/version = anon
    /** = authc

Login as user1 (say finance1), and set a permission of a notebook as "finance"
<img width="1282" alt="screen shot 2016-06-11 at 9 50 32 am" src="https://cloud.githubusercontent.com/assets/674497/15983178/aad710ee-2fbc-11e6-861d-508ecc8c7b74.png">

Save setting
<img width="1281" alt="screen shot 2016-06-11 at 9 51 05 am" src="https://cloud.githubusercontent.com/assets/674497/15983180/aad86ea8-2fbc-11e6-8b68-4571496ec733.png">

Now logout and login as user2 (say finance2) which belong to the same group as above "finance", verify that you have access to the same notebook.
<img width="1282" alt="screen shot 2016-06-11 at 9 51 25 am" src="https://cloud.githubusercontent.com/assets/674497/15983181/aad9a78c-2fbc-11e6-8a41-a3dc108cabdc.png">

Logout and login again, this time as a user that does not belong to the group "finance", a user say hr1. Verify that this user does not have permission to view the same notebook.
<img width="1281" alt="screen shot 2016-06-11 at 9 51 42 am" src="https://cloud.githubusercontent.com/assets/674497/15983179/aad7794e-2fbc-11e6-9002-f7b0fc54ac59.png">

### Questions:
* Does the licenses files need update? no
* Is there breaking changes for older versions? no
* Does this needs documentation? no

Author: Prabhjyot Singh <prabhjyotsingh@gmail.com>

Closes #986 from prabhjyotsingh/ZEPPELIN-946 and squashes the following commits:

e04c145 [Prabhjyot Singh] add sample LDAP and AD realm setting in comments
3e443d7 [Prabhjyot Singh] imporoving performance of ActiveDirectoryGroupRealm
188ac17 [Prabhjyot Singh] activeDirectoryRealm.principalSuffix isn't honoured
293853e [Prabhjyot Singh] fix failing selenium test case
8d41149 [Prabhjyot Singh] try maximize browser
41bb23b [Prabhjyot Singh] selenium test case
3149417 [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-946
310a81d [Prabhjyot Singh] make `[roles]` optional in shiro.ini
966a96c [Prabhjyot Singh] update doc
ed54a92 [Prabhjyot Singh] read roles from shiro.ini
e8f1f97 [Prabhjyot Singh] fix for permissions not honoring group
4194f93 [Prabhjyot Singh] sometime it dispalys groupName instead of principal
2016-06-17 14:48:57 +05:30
..
authentication.md [ZEPPELIN-980] Move git repository from incubator-zeppelin to zeppelin 2016-06-10 09:02:41 -07:00
interpreter_authorization.md [ZEPPELIN-939] Improve notebook authorization documentation 2016-06-10 10:47:35 +09:00
notebook_authorization.md [ZEPPELIN-980] missing "incubation-" references 2016-06-12 12:47:35 -07:00
shiroauthentication.md [Zeppelin 946] Permissions not honoring group 2016-06-17 14:48:57 +05:30