You have a couple options: - Extend and include one of the TextConfigurationRealms: change how users are parsed (remove the need for passwords), and return null from 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization. - Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method - Create/extend your own realm to handle the storage of your roles/permissions
On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <[email protected]> wrote: > Thank you Brian! Yes, this might do what we're looking for. > > Do you have an example how we could define a shiro.ini role for an LDAP > user? > > I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but > for other reasons we can't use that. > > Can we just define a static shiro.ini role just for one/few LDAP user? > > Thanks again. > > > > -- > Ruslan Dautkhanov > > On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[email protected]> > wrote: > >> The UserFiler >> <https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/web/filter/authc/UserFilter.html> >> does take a username as an arg, it only verifies a user's principal exists >> (authenticated or remembered) >> >> Your best bet is probably to use permissions or roles >> <http://shiro.apache.org/web.html#urls-> >> >> Let us know if this isn't what you are looking for >> >> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[email protected]> >> wrote: >> >>> Until we have a good multitenancy support in Zeppelin, we'd have to run >>> individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for >>> authentication. >>> >>> So we were trying to use following shiro.ini configurations: >>> >>>> [urls] >>>> /api/version = anon >>>> /** = user["[email protected]"] >>> >>> >>> Also tried >>> >>>> /** = authc, user["[email protected]"] >>> >>> >>> none works in a sense that other users after successful LDAP >>> authentication >>> can create their own notebooks in other user's Zeppelin instances. >>> >>> shiro.ini has [users] and [roles] sections are empty. >>> >>> [main] section configures LDAP authentication backend which works as >>> expected. >>> >>> [email protected] is actual user name which is used in LDAP >>> authentication. >>> >>> How to make [urls] section let only one specific user in? >>> Again, neither >>> >>>> /** = user["[email protected]"] >>> >>> nor >>> >>>> /** = authc, user["[email protected]"] >>> >>> work as we expect - any authenticated user still can access /** (all >>> pages). >>> >>> LDAP authentication works as expected; we're struggling with >>> authorization - >>> to lock Zeppelin in [urls] to one user (or a few users). >>> >>> >>> Thank you, >>> Ruslan >>> >> >> >
