Vipin Rathor created ZEPPELIN-2825:
--------------------------------------
Summary: Zeppelin can't apply one of many Shiro roles to URLs
Key: ZEPPELIN-2825
URL: https://issues.apache.org/jira/browse/ZEPPELIN-2825
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-server
Affects Versions: 0.8.0
Reporter: Vipin Rathor
Zeppelin with Shiro configuration can not apply multiple Shiro roles to URLs.
For example, if Shiro configuration is this:
{code:java}
[urls]
/api/version = anon
/api/interpreter/** = authc, roles[admin, role1]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
{code}
Then, as per [Shiro
documentation|https://shiro.apache.org/web.html#Web-{{\urls\}}] and current
[roles filter
implementation|https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/web/filter/authz/RolesAuthorizationFilter.html]
, user will be able to access interpreter only when he/she is part of "all"
the roles defined against interpreter URL above.
This fails when you have a user who belongs to any one of those roles
roles[admin, role1].
There is a need for such a configuration which can give access to user who is
part of "any of" the roles defined in Shiro configuration.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
