Thank you Brian. We're using Apache Zeppelin which uses Apache Shiro. So it's not our own product and we're limited what we can develop.
Will it be possible to have [users] [email protected] = ,admin So user name [email protected] will actually will be coming from LDAP authentication. I've put empty password because it's not INI file that defines authentication, but [users] section would only bind LDAP user to those local roels (admin in the example above). If that's possible, then we can do /** = roles[admin] https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html Our current actual shiro.ini file is as following: [main] > ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm > ldapRealm.contextFactory.environment[ldap.searchBase] = > "dc=corp,dc=somecompany,dc=com" > ldapRealm.contextFactory.url = ldap://adlb.corp.somecompany.com:389 > ldapRealm.contextFactory.authenticationMechanism = SIMPLE > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.globalSessionTimeout = 86400000 > shiro.loginUrl = /api/login > > [urls] > /api/version = anon > /** = user["[email protected]"] [users] and [roles] sections are currently empty. Authentication works as expected, but it lets all authenticated users in. We want to limit one Zeppelin instance to one single user. Best regards, Ruslan Dautkhanov On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers <[email protected]> wrote: > You have a couple options: > > - Extend and include one of the TextConfigurationRealms: change how users > are parsed (remove the need for passwords), and return null from > 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization. > - Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method > - Create/extend your own realm to handle the storage of your > roles/permissions > > On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <[email protected]> > wrote: > >> Thank you Brian! Yes, this might do what we're looking for. >> >> Do you have an example how we could define a shiro.ini role for an LDAP >> user? >> >> I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but >> for other reasons we can't use that. >> >> Can we just define a static shiro.ini role just for one/few LDAP user? >> >> Thanks again. >> >> >> >> -- >> Ruslan Dautkhanov >> >> On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[email protected]> >> wrote: >> >>> The UserFiler >>> <https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/web/filter/authc/UserFilter.html> >>> does take a username as an arg, it only verifies a user's principal exists >>> (authenticated or remembered) >>> >>> Your best bet is probably to use permissions or roles >>> <http://shiro.apache.org/web.html#urls-> >>> >>> Let us know if this isn't what you are looking for >>> >>> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[email protected] >>> > wrote: >>> >>>> Until we have a good multitenancy support in Zeppelin, we'd have to run >>>> individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for >>>> authentication. >>>> >>>> So we were trying to use following shiro.ini configurations: >>>> >>>>> [urls] >>>>> /api/version = anon >>>>> /** = user["[email protected]"] >>>> >>>> >>>> Also tried >>>> >>>>> /** = authc, user["[email protected]"] >>>> >>>> >>>> none works in a sense that other users after successful LDAP >>>> authentication >>>> can create their own notebooks in other user's Zeppelin instances. >>>> >>>> shiro.ini has [users] and [roles] sections are empty. >>>> >>>> [main] section configures LDAP authentication backend which works as >>>> expected. >>>> >>>> [email protected] is actual user name which is used in LDAP >>>> authentication. >>>> >>>> How to make [urls] section let only one specific user in? >>>> Again, neither >>>> >>>>> /** = user["[email protected]"] >>>> >>>> nor >>>> >>>>> /** = authc, user["[email protected]"] >>>> >>>> work as we expect - any authenticated user still can access /** (all >>>> pages). >>>> >>>> LDAP authentication works as expected; we're struggling with >>>> authorization - >>>> to lock Zeppelin in [urls] to one user (or a few users). >>>> >>>> >>>> Thank you, >>>> Ruslan >>>> >>> >>> >> >
