Thank you Brian! Yes, this might do what we're looking for.

Do you have an example how we could define a shiro.ini role for an LDAP
user?

I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for
other reasons we can't use that.

Can we just define a static shiro.ini role just for one/few LDAP user?

Thanks again.



-- 
Ruslan Dautkhanov

On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <brian.dem...@gmail.com> wrote:

> The UserFiler
> <https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/web/filter/authc/UserFilter.html>
> does take a username as an arg, it only verifies a user's principal exists
> (authenticated or remembered)
>
> Your best bet is probably to use permissions or roles
> <http://shiro.apache.org/web.html#urls->
>
> Let us know if this isn't what you are looking for
>
> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <dautkha...@gmail.com>
> wrote:
>
>> Until we have a good multitenancy support in Zeppelin, we'd have to run
>> individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for
>> authentication.
>>
>> So we were trying to use following shiro.ini configurations:
>>
>>> [urls]
>>> /api/version = anon
>>> /** = user["rdautkhanov@CORP.DOMAIN"]
>>
>>
>> Also tried
>>
>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>
>>
>> none works in a sense that other users after successful LDAP
>> authentication
>> can create their own notebooks in other user's Zeppelin instances.
>>
>> shiro.ini has [users] and [roles] sections are empty.
>>
>> [main] section configures LDAP authentication backend which works as
>> expected.
>>
>> rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP
>> authentication.
>>
>> How to make [urls] section let only one specific user in?
>> Again, neither
>>
>>> /** = user["rdautkhanov@CORP.DOMAIN"]
>>
>> nor
>>
>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>
>> work as we expect - any authenticated user still can access /** (all
>> pages).
>>
>> LDAP authentication works as expected; we're struggling with
>> authorization -
>> to lock Zeppelin in [urls] to one user (or a few users).
>>
>>
>> Thank you,
>> Ruslan
>>
>
>

Reply via email to