Re: shiro.ini [urls] authorization: lock to one user

2016-12-05 Thread Brian Demers 
If you enabled the IniRealm, users would likely be able to login without a
password.  Which is why you would need to extend/create a realm that only
added additional Authorization, and NOT Authentication.

On Fri, Dec 2, 2016 at 4:14 PM, Ruslan Dautkhanov 
wrote:

> Thank you Brian.
>
> We're using Apache Zeppelin which uses Apache Shiro.
> So it's not our own product and we're limited what we can develop.
>
> Will it be possible to have
>
> [users]
> rdautkhanov@CORP.DOMAIN = ,admin
>
> So user name rdautkhanov@CORP.DOMAIN will actually will be coming from
> LDAP authentication.
> I've put empty password because it's not INI file that defines
> authentication, but [users] section
> would only bind LDAP user to those local roels (admin in the example
> above).
>
> If that's possible, then we can do
> /** = roles[admin]
>
> https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html
>
> Our current actual shiro.ini file is as following:
>
> [main]
>> ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
>> ldapRealm.contextFactory.environment[ldap.searchBase] =
>> "dc=corp,dc=somecompany,dc=com"
>> ldapRealm.contextFactory.url = ldap://adlb.corp.somecompany.com:389
>> ldapRealm.contextFactory.authenticationMechanism = SIMPLE
>> sessionManager = org.apache.shiro.web.session.
>> mgt.DefaultWebSessionManager
>> securityManager.sessionManager = $sessionManager
>> securityManager.sessionManager.globalSessionTimeout = 8640
>> shiro.loginUrl = /api/login
>>
>
>
>> [urls]
>> /api/version = anon
>> /** = user["rdautkhanov@CORP.DOMAIN"]
>
>
> [users] and [roles] sections are currently empty.
> Authentication works as expected, but it lets all authenticated users in.
> We want to limit one Zeppelin instance to one single user.
>
>
> Best regards,
> Ruslan Dautkhanov
>
>
> On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers 
> wrote:
>
>> You have a couple options:
>>
>> - Extend and include one of the TextConfigurationRealms: change how users
>> are parsed (remove the need for passwords), and return null from
>> 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
>> - Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
>> - Create/extend your own realm to handle the storage of your
>> roles/permissions
>>
>> On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov 
>> wrote:
>>
>>> Thank you Brian! Yes, this might do what we're looking for.
>>>
>>> Do you have an example how we could define a shiro.ini role for an LDAP
>>> user?
>>>
>>> I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but
>>> for other reasons we can't use that.
>>>
>>> Can we just define a static shiro.ini role just for one/few LDAP user?
>>>
>>> Thanks again.
>>>
>>>
>>>
>>> --
>>> Ruslan Dautkhanov
>>>
>>> On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers 
>>> wrote:
>>>
 The UserFiler
 
 does take a username as an arg, it only verifies a user's principal exists
 (authenticated or remembered)

 Your best bet is probably to use permissions or roles
 

 Let us know if this isn't what you are looking for

 On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <
 dautkha...@gmail.com> wrote:

> Until we have a good multitenancy support in Zeppelin, we'd have to
> run individual Zeppelin instances for each user. Apache Zeppelin uses 
> Shiro
> for authentication.
>
> So we were trying to use following shiro.ini configurations:
>
>> [urls]
>> /api/version = anon
>> /** = user["rdautkhanov@CORP.DOMAIN"]
>
>
> Also tried
>
>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>
>
> none works in a sense that other users after successful LDAP
> authentication
> can create their own notebooks in other user's Zeppelin instances.
>
> shiro.ini has [users] and [roles] sections are empty.
>
> [main] section configures LDAP authentication backend which works as
> expected.
>
> rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP
> authentication.
>
> How to make [urls] section let only one specific user in?
> Again, neither
>
>> /** = user["rdautkhanov@CORP.DOMAIN"]
>
> nor
>
>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>
> work as we expect - any authenticated user still can access /** (all
> pages).
>
> LDAP authentication works as expected; we're struggling with
> authorization -
> to lock Zeppelin in [urls] to one user (or a few users).
>
>
> Thank you,
> Ruslan
>


>>>
>>
>

Re: shiro.ini [urls] authorization: lock to one user

2016-12-02 Thread Ruslan Dautkhanov 
Thank you Brian.

We're using Apache Zeppelin which uses Apache Shiro.
So it's not our own product and we're limited what we can develop.

Will it be possible to have

[users]
rdautkhanov@CORP.DOMAIN = ,admin

So user name rdautkhanov@CORP.DOMAIN will actually will be coming from LDAP
authentication.
I've put empty password because it's not INI file that defines
authentication, but [users] section
would only bind LDAP user to those local roels (admin in the example above).

If that's possible, then we can do
/** = roles[admin]

https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html

Our current actual shiro.ini file is as following:

[main]
> ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
> ldapRealm.contextFactory.environment[ldap.searchBase] =
> "dc=corp,dc=somecompany,dc=com"
> ldapRealm.contextFactory.url = ldap://adlb.corp.somecompany.com:389
> ldapRealm.contextFactory.authenticationMechanism = SIMPLE
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.globalSessionTimeout = 8640
> shiro.loginUrl = /api/login
>


> [urls]
> /api/version = anon
> /** = user["rdautkhanov@CORP.DOMAIN"]


[users] and [roles] sections are currently empty.
Authentication works as expected, but it lets all authenticated users in.
We want to limit one Zeppelin instance to one single user.


Best regards,
Ruslan Dautkhanov


On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers  wrote:

> You have a couple options:
>
> - Extend and include one of the TextConfigurationRealms: change how users
> are parsed (remove the need for passwords), and return null from
> 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
> - Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
> - Create/extend your own realm to handle the storage of your
> roles/permissions
>
> On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov 
> wrote:
>
>> Thank you Brian! Yes, this might do what we're looking for.
>>
>> Do you have an example how we could define a shiro.ini role for an LDAP
>> user?
>>
>> I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but
>> for other reasons we can't use that.
>>
>> Can we just define a static shiro.ini role just for one/few LDAP user?
>>
>> Thanks again.
>>
>>
>>
>> --
>> Ruslan Dautkhanov
>>
>> On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers 
>> wrote:
>>
>>> The UserFiler
>>> 
>>> does take a username as an arg, it only verifies a user's principal exists
>>> (authenticated or remembered)
>>>
>>> Your best bet is probably to use permissions or roles
>>> 
>>>
>>> Let us know if this isn't what you are looking for
>>>
>>> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov >> > wrote:
>>>
 Until we have a good multitenancy support in Zeppelin, we'd have to run
 individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for
 authentication.

 So we were trying to use following shiro.ini configurations:

> [urls]
> /api/version = anon
> /** = user["rdautkhanov@CORP.DOMAIN"]


 Also tried

> /** = authc, user["rdautkhanov@CORP.DOMAIN"]


 none works in a sense that other users after successful LDAP
 authentication
 can create their own notebooks in other user's Zeppelin instances.

 shiro.ini has [users] and [roles] sections are empty.

 [main] section configures LDAP authentication backend which works as
 expected.

 rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP
 authentication.

 How to make [urls] section let only one specific user in?
 Again, neither

> /** = user["rdautkhanov@CORP.DOMAIN"]

 nor

> /** = authc, user["rdautkhanov@CORP.DOMAIN"]

 work as we expect - any authenticated user still can access /** (all
 pages).

 LDAP authentication works as expected; we're struggling with
 authorization -
 to lock Zeppelin in [urls] to one user (or a few users).


 Thank you,
 Ruslan

>>>
>>>
>>
>

Re: shiro.ini [urls] authorization: lock to one user

2016-12-02 Thread Brian Demers 
You have a couple options:

- Extend and include one of the TextConfigurationRealms: change how users
are parsed (remove the need for passwords), and return null from
'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
- Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
- Create/extend your own realm to handle the storage of your
roles/permissions

On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov 
wrote:

> Thank you Brian! Yes, this might do what we're looking for.
>
> Do you have an example how we could define a shiro.ini role for an LDAP
> user?
>
> I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but
> for other reasons we can't use that.
>
> Can we just define a static shiro.ini role just for one/few LDAP user?
>
> Thanks again.
>
>
>
> --
> Ruslan Dautkhanov
>
> On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers 
> wrote:
>
>> The UserFiler
>> 
>> does take a username as an arg, it only verifies a user's principal exists
>> (authenticated or remembered)
>>
>> Your best bet is probably to use permissions or roles
>> 
>>
>> Let us know if this isn't what you are looking for
>>
>> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov 
>> wrote:
>>
>>> Until we have a good multitenancy support in Zeppelin, we'd have to run
>>> individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for
>>> authentication.
>>>
>>> So we were trying to use following shiro.ini configurations:
>>>
 [urls]
 /api/version = anon
 /** = user["rdautkhanov@CORP.DOMAIN"]
>>>
>>>
>>> Also tried
>>>
 /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>>
>>>
>>> none works in a sense that other users after successful LDAP
>>> authentication
>>> can create their own notebooks in other user's Zeppelin instances.
>>>
>>> shiro.ini has [users] and [roles] sections are empty.
>>>
>>> [main] section configures LDAP authentication backend which works as
>>> expected.
>>>
>>> rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP
>>> authentication.
>>>
>>> How to make [urls] section let only one specific user in?
>>> Again, neither
>>>
 /** = user["rdautkhanov@CORP.DOMAIN"]
>>>
>>> nor
>>>
 /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>>
>>> work as we expect - any authenticated user still can access /** (all
>>> pages).
>>>
>>> LDAP authentication works as expected; we're struggling with
>>> authorization -
>>> to lock Zeppelin in [urls] to one user (or a few users).
>>>
>>>
>>> Thank you,
>>> Ruslan
>>>
>>
>>
>

Re: shiro.ini [urls] authorization: lock to one user

2016-12-01 Thread Ruslan Dautkhanov 
Thank you Brian! Yes, this might do what we're looking for.

Do you have an example how we could define a shiro.ini role for an LDAP
user?

I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for
other reasons we can't use that.

Can we just define a static shiro.ini role just for one/few LDAP user?

Thanks again.



-- 
Ruslan Dautkhanov

On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers  wrote:

> The UserFiler
> 
> does take a username as an arg, it only verifies a user's principal exists
> (authenticated or remembered)
>
> Your best bet is probably to use permissions or roles
> 
>
> Let us know if this isn't what you are looking for
>
> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov 
> wrote:
>
>> Until we have a good multitenancy support in Zeppelin, we'd have to run
>> individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for
>> authentication.
>>
>> So we were trying to use following shiro.ini configurations:
>>
>>> [urls]
>>> /api/version = anon
>>> /** = user["rdautkhanov@CORP.DOMAIN"]
>>
>>
>> Also tried
>>
>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>
>>
>> none works in a sense that other users after successful LDAP
>> authentication
>> can create their own notebooks in other user's Zeppelin instances.
>>
>> shiro.ini has [users] and [roles] sections are empty.
>>
>> [main] section configures LDAP authentication backend which works as
>> expected.
>>
>> rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP
>> authentication.
>>
>> How to make [urls] section let only one specific user in?
>> Again, neither
>>
>>> /** = user["rdautkhanov@CORP.DOMAIN"]
>>
>> nor
>>
>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>
>> work as we expect - any authenticated user still can access /** (all
>> pages).
>>
>> LDAP authentication works as expected; we're struggling with
>> authorization -
>> to lock Zeppelin in [urls] to one user (or a few users).
>>
>>
>> Thank you,
>> Ruslan
>>
>
>

Re: shiro.ini [urls] authorization: lock to one user

2016-12-01 Thread Brian Demers 
The UserFiler

does take a username as an arg, it only verifies a user's principal exists
(authenticated or remembered)

Your best bet is probably to use permissions or roles


Let us know if this isn't what you are looking for

On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov 
wrote:

> Until we have a good multitenancy support in Zeppelin, we'd have to run
> individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for
> authentication.
>
> So we were trying to use following shiro.ini configurations:
>
>> [urls]
>> /api/version = anon
>> /** = user["rdautkhanov@CORP.DOMAIN"]
>
>
> Also tried
>
>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>
>
> none works in a sense that other users after successful LDAP
> authentication
> can create their own notebooks in other user's Zeppelin instances.
>
> shiro.ini has [users] and [roles] sections are empty.
>
> [main] section configures LDAP authentication backend which works as
> expected.
>
> rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP
> authentication.
>
> How to make [urls] section let only one specific user in?
> Again, neither
>
>> /** = user["rdautkhanov@CORP.DOMAIN"]
>
> nor
>
>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>
> work as we expect - any authenticated user still can access /** (all
> pages).
>
> LDAP authentication works as expected; we're struggling with authorization
> -
> to lock Zeppelin in [urls] to one user (or a few users).
>
>
> Thank you,
> Ruslan
>