[ZEPPELIN-6186] fix searching user using JdbcRealm

[sh1nj1]

What is this PR for?

This PR fixes a broken feature where getUserList fails when using JdbcRealm for Shiro authentication.

The previous PR addressing SQL injection introduced an error that prevents getUserList from working correctly with JdbcRealm. As a result, users are unable to set notebook permissions.

Ref: #4676

What type of PR is it?

Bug Fix

Todos

What is the Jira issue?

• https://issues.apache.org/jira/browse/ZEPPELIN-3725
• https://issues.apache.org/jira/browse/ZEPPELIN-6186

How should this be tested?

Added new unit test should be passed

• ./mvnw clean package -pl zeppelin-server -am

Verify in UI

• Go to notebook permission settings
• Type username and see if username listed

Screenshots (if appropriate)

Questions:

• Does the license files need to update? No
• Is there breaking changes for older versions? No
• Does this needs documentation? No

[jongyoul]

I think it would be better to use PreparedStatement instead of making a query using String.format.

[sh1nj1]

That's the last PR's issue for this, you can use parameter replacement in where clause, not the table name or projections. That's why I make this PR.
SELECT ? FROM ? makes query syntax error because it create invalid query by the PreparedStatement because you can not use '?' in select clause or from clause.

[jongyoul]

Can you please explain more about it? If PreparedStatement disallows it, it shouldn't be passed as a query. The test case doesn't cover it as well.

[jongyoul]

I think we could set SELECT ? FROM ? WHERE ? LIKE ?, and pass it as ps.setString(4, "%" + username + "%").

[sh1nj1]

https://stackoverflow.com/a/2917509/1395707 this explains it better than me.

I use PreparedStatement only set WHERE username LIKE ? but remove from select clause and from clause.
If I use old implementation, it creates an error in test case that I added here.

[sh1nj1]

SELECT ? FROM ? WHERE ? LIKE ?

that's the point, previous PR use this form rather than String.format but it misuse PreparedStatement, so that it creates error.

So I changed and I added some validation for username and tablename for the possible SQL Injection that previous PR tried to implement.

[jongyoul]

Ah .. I got the point. You meant we shouldn't use an identifier as a literal in the preparedStatement.

[jongyoul]

Thank you for your contribution! I left one comment. Please check it.

[jongyoul]

LGTM. By the way, we can refator the whole logic to parse a tablename and username, and get them from separate variables and pass them directly. Can you consider refactoring the logic as well?

[jongyoul]

@sh1nj1 Can you please create a new ticket so that I can give you credit as the assignee for this issue?

[sh1nj1]

@jongyoul updated the ticket ID

Can you consider refactoring the logic as well?

I can do in a separate PR

[Reamer]

Looks good to me too. Only the indentation looks strange. Maybe it's a GitHub display issue. Can you please make sure you don't use tabs for the indentation.

[sh1nj1]

@Reamer fixed indentation

[Reamer]

The indentation looks much better. I have two minor points to mention.

[Reamer]

Why the count?

[sh1nj1]

is it naming issue, no need issue or anything else?
BTW, I removed the variable.

[Reamer]

LGTM
If no further comments are received, I will merge the whole thing next Monday.