Thank you Brian! Yes, this might do what we're looking for. Do you have an example how we could define a shiro.ini role for an LDAP user?
I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for other reasons we can't use that. Can we just define a static shiro.ini role just for one/few LDAP user? Thanks again. -- Ruslan Dautkhanov On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[email protected]> wrote: > The UserFiler > <https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/web/filter/authc/UserFilter.html> > does take a username as an arg, it only verifies a user's principal exists > (authenticated or remembered) > > Your best bet is probably to use permissions or roles > <http://shiro.apache.org/web.html#urls-> > > Let us know if this isn't what you are looking for > > On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[email protected]> > wrote: > >> Until we have a good multitenancy support in Zeppelin, we'd have to run >> individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for >> authentication. >> >> So we were trying to use following shiro.ini configurations: >> >>> [urls] >>> /api/version = anon >>> /** = user["[email protected]"] >> >> >> Also tried >> >>> /** = authc, user["[email protected]"] >> >> >> none works in a sense that other users after successful LDAP >> authentication >> can create their own notebooks in other user's Zeppelin instances. >> >> shiro.ini has [users] and [roles] sections are empty. >> >> [main] section configures LDAP authentication backend which works as >> expected. >> >> [email protected] is actual user name which is used in LDAP >> authentication. >> >> How to make [urls] section let only one specific user in? >> Again, neither >> >>> /** = user["[email protected]"] >> >> nor >> >>> /** = authc, user["[email protected]"] >> >> work as we expect - any authenticated user still can access /** (all >> pages). >> >> LDAP authentication works as expected; we're struggling with >> authorization - >> to lock Zeppelin in [urls] to one user (or a few users). >> >> >> Thank you, >> Ruslan >> > >
