If you enabled the IniRealm, users would likely be able to login without a
password.  Which is why you would need to extend/create a realm that only
added additional Authorization, and NOT Authentication.

On Fri, Dec 2, 2016 at 4:14 PM, Ruslan Dautkhanov <dautkha...@gmail.com>
wrote:

> Thank you Brian.
>
> We're using Apache Zeppelin which uses Apache Shiro.
> So it's not our own product and we're limited what we can develop.
>
> Will it be possible to have
>
> [users]
> rdautkhanov@CORP.DOMAIN = ,admin
>
> So user name rdautkhanov@CORP.DOMAIN will actually will be coming from
> LDAP authentication.
> I've put empty password because it's not INI file that defines
> authentication, but [users] section
> would only bind LDAP user to those local roels (admin in the example
> above).
>
> If that's possible, then we can do
> /** = roles[admin]
>
> https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html
>
> Our current actual shiro.ini file is as following:
>
> [main]
>> ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
>> ldapRealm.contextFactory.environment[ldap.searchBase] =
>> "dc=corp,dc=somecompany,dc=com"
>> ldapRealm.contextFactory.url = ldap://adlb.corp.somecompany.com:389
>> ldapRealm.contextFactory.authenticationMechanism = SIMPLE
>> sessionManager = org.apache.shiro.web.session.
>> mgt.DefaultWebSessionManager
>> securityManager.sessionManager = $sessionManager
>> securityManager.sessionManager.globalSessionTimeout = 86400000
>> shiro.loginUrl = /api/login
>>
>
>
>> [urls]
>> /api/version = anon
>> /** = user["rdautkhanov@CORP.DOMAIN"]
>
>
> [users] and [roles] sections are currently empty.
> Authentication works as expected, but it lets all authenticated users in.
> We want to limit one Zeppelin instance to one single user.
>
>
> Best regards,
> Ruslan Dautkhanov
>
>
> On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers <brian.dem...@gmail.com>
> wrote:
>
>> You have a couple options:
>>
>> - Extend and include one of the TextConfigurationRealms: change how users
>> are parsed (remove the need for passwords), and return null from
>> 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
>> - Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
>> - Create/extend your own realm to handle the storage of your
>> roles/permissions
>>
>> On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <dautkha...@gmail.com>
>> wrote:
>>
>>> Thank you Brian! Yes, this might do what we're looking for.
>>>
>>> Do you have an example how we could define a shiro.ini role for an LDAP
>>> user?
>>>
>>> I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but
>>> for other reasons we can't use that.
>>>
>>> Can we just define a static shiro.ini role just for one/few LDAP user?
>>>
>>> Thanks again.
>>>
>>>
>>>
>>> --
>>> Ruslan Dautkhanov
>>>
>>> On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <brian.dem...@gmail.com>
>>> wrote:
>>>
>>>> The UserFiler
>>>> <https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/web/filter/authc/UserFilter.html>
>>>> does take a username as an arg, it only verifies a user's principal exists
>>>> (authenticated or remembered)
>>>>
>>>> Your best bet is probably to use permissions or roles
>>>> <http://shiro.apache.org/web.html#urls->
>>>>
>>>> Let us know if this isn't what you are looking for
>>>>
>>>> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <
>>>> dautkha...@gmail.com> wrote:
>>>>
>>>>> Until we have a good multitenancy support in Zeppelin, we'd have to
>>>>> run individual Zeppelin instances for each user. Apache Zeppelin uses 
>>>>> Shiro
>>>>> for authentication.
>>>>>
>>>>> So we were trying to use following shiro.ini configurations:
>>>>>
>>>>>> [urls]
>>>>>> /api/version = anon
>>>>>> /** = user["rdautkhanov@CORP.DOMAIN"]
>>>>>
>>>>>
>>>>> Also tried
>>>>>
>>>>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>>>>
>>>>>
>>>>> none works in a sense that other users after successful LDAP
>>>>> authentication
>>>>> can create their own notebooks in other user's Zeppelin instances.
>>>>>
>>>>> shiro.ini has [users] and [roles] sections are empty.
>>>>>
>>>>> [main] section configures LDAP authentication backend which works as
>>>>> expected.
>>>>>
>>>>> rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP
>>>>> authentication.
>>>>>
>>>>> How to make [urls] section let only one specific user in?
>>>>> Again, neither
>>>>>
>>>>>> /** = user["rdautkhanov@CORP.DOMAIN"]
>>>>>
>>>>> nor
>>>>>
>>>>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"]
>>>>>
>>>>> work as we expect - any authenticated user still can access /** (all
>>>>> pages).
>>>>>
>>>>> LDAP authentication works as expected; we're struggling with
>>>>> authorization -
>>>>> to lock Zeppelin in [urls] to one user (or a few users).
>>>>>
>>>>>
>>>>> Thank you,
>>>>> Ruslan
>>>>>
>>>>
>>>>
>>>
>>
>

Reply via email to