Jithin Chandran created ZEPPELIN-3061:
-----------------------------------------
Summary: Zeppelin's SecurityUtils.getRoles() is not retreiving
roles from Shiro's doGetAuthorizationInfo() for a custom realm.
Key: ZEPPELIN-3061
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3061
Project: Zeppelin
Issue Type: Bug
Reporter: Jithin Chandran
On logging in to Zeppelin, SecurityUtils.getRoles() method is called to
retreive the principal and role details. However, the getRoles() method is
currently checking and retreiving the roles only if the classname equals
"org.apache.shiro.realm.text.IniRealm", or
"org.apache.zeppelin.realm.LdapRealm", or
"org.apache.zeppelin.realm.ActiveDirectoryGroupRealm".
In the case of a Shiro CAS implementation with a custom realm, the
doGetAuthorizationInfo(PrincipalCollection principals) is overriden, and the
roles are retreived from the method which are present in principals as
attributes. Since the SecurityUtils.getRoles() method is always checking for
the classnames with the above mentioned 3 classes, the method is always
returning roles as an empty list, regardless of the fact that the roles are
present within the Subject in the custom realm.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
