If you enabled the IniRealm, users would likely be able to login without a password. Which is why you would need to extend/create a realm that only added additional Authorization, and NOT Authentication.
On Fri, Dec 2, 2016 at 4:14 PM, Ruslan Dautkhanov <dautkha...@gmail.com> wrote: > Thank you Brian. > > We're using Apache Zeppelin which uses Apache Shiro. > So it's not our own product and we're limited what we can develop. > > Will it be possible to have > > [users] > rdautkhanov@CORP.DOMAIN = ,admin > > So user name rdautkhanov@CORP.DOMAIN will actually will be coming from > LDAP authentication. > I've put empty password because it's not INI file that defines > authentication, but [users] section > would only bind LDAP user to those local roels (admin in the example > above). > > If that's possible, then we can do > /** = roles[admin] > > https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html > > Our current actual shiro.ini file is as following: > > [main] >> ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm >> ldapRealm.contextFactory.environment[ldap.searchBase] = >> "dc=corp,dc=somecompany,dc=com" >> ldapRealm.contextFactory.url = ldap://adlb.corp.somecompany.com:389 >> ldapRealm.contextFactory.authenticationMechanism = SIMPLE >> sessionManager = org.apache.shiro.web.session. >> mgt.DefaultWebSessionManager >> securityManager.sessionManager = $sessionManager >> securityManager.sessionManager.globalSessionTimeout = 86400000 >> shiro.loginUrl = /api/login >> > > >> [urls] >> /api/version = anon >> /** = user["rdautkhanov@CORP.DOMAIN"] > > > [users] and [roles] sections are currently empty. > Authentication works as expected, but it lets all authenticated users in. > We want to limit one Zeppelin instance to one single user. > > > Best regards, > Ruslan Dautkhanov > > > On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers <brian.dem...@gmail.com> > wrote: > >> You have a couple options: >> >> - Extend and include one of the TextConfigurationRealms: change how users >> are parsed (remove the need for passwords), and return null from >> 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization. >> - Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method >> - Create/extend your own realm to handle the storage of your >> roles/permissions >> >> On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <dautkha...@gmail.com> >> wrote: >> >>> Thank you Brian! Yes, this might do what we're looking for. >>> >>> Do you have an example how we could define a shiro.ini role for an LDAP >>> user? >>> >>> I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but >>> for other reasons we can't use that. >>> >>> Can we just define a static shiro.ini role just for one/few LDAP user? >>> >>> Thanks again. >>> >>> >>> >>> -- >>> Ruslan Dautkhanov >>> >>> On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <brian.dem...@gmail.com> >>> wrote: >>> >>>> The UserFiler >>>> <https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/web/filter/authc/UserFilter.html> >>>> does take a username as an arg, it only verifies a user's principal exists >>>> (authenticated or remembered) >>>> >>>> Your best bet is probably to use permissions or roles >>>> <http://shiro.apache.org/web.html#urls-> >>>> >>>> Let us know if this isn't what you are looking for >>>> >>>> On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov < >>>> dautkha...@gmail.com> wrote: >>>> >>>>> Until we have a good multitenancy support in Zeppelin, we'd have to >>>>> run individual Zeppelin instances for each user. Apache Zeppelin uses >>>>> Shiro >>>>> for authentication. >>>>> >>>>> So we were trying to use following shiro.ini configurations: >>>>> >>>>>> [urls] >>>>>> /api/version = anon >>>>>> /** = user["rdautkhanov@CORP.DOMAIN"] >>>>> >>>>> >>>>> Also tried >>>>> >>>>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"] >>>>> >>>>> >>>>> none works in a sense that other users after successful LDAP >>>>> authentication >>>>> can create their own notebooks in other user's Zeppelin instances. >>>>> >>>>> shiro.ini has [users] and [roles] sections are empty. >>>>> >>>>> [main] section configures LDAP authentication backend which works as >>>>> expected. >>>>> >>>>> rdautkhanov@CORP.DOMAIN is actual user name which is used in LDAP >>>>> authentication. >>>>> >>>>> How to make [urls] section let only one specific user in? >>>>> Again, neither >>>>> >>>>>> /** = user["rdautkhanov@CORP.DOMAIN"] >>>>> >>>>> nor >>>>> >>>>>> /** = authc, user["rdautkhanov@CORP.DOMAIN"] >>>>> >>>>> work as we expect - any authenticated user still can access /** (all >>>>> pages). >>>>> >>>>> LDAP authentication works as expected; we're struggling with >>>>> authorization - >>>>> to lock Zeppelin in [urls] to one user (or a few users). >>>>> >>>>> >>>>> Thank you, >>>>> Ruslan >>>>> >>>> >>>> >>> >> >