Quantcast

shiro.ini [urls] authorization: lock to one user

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

shiro.ini [urls] authorization: lock to one user

Ruslan Dautkhanov
Until we have a good multitenancy support in Zeppelin, we'd have to run individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for authentication.

So we were trying to use following shiro.ini configurations:
[urls]
/api/version = anon
/** = user["[hidden email]"]

Also tried 
/** = authc, user["[hidden email]"]

none works in a sense that other users after successful LDAP authentication 
can create their own notebooks in other user's Zeppelin instances.

shiro.ini has [users] and [roles] sections are empty.

[main] section configures LDAP authentication backend which works as 
expected.

[hidden email] is actual user name which is used in LDAP authentication.

How to make [urls] section let only one specific user in?
Again, neither
/** = user["[hidden email]"]
nor 
/** = authc, user["[hidden email]"]
work as we expect - any authenticated user still can access /** (all pages).

LDAP authentication works as expected; we're struggling with authorization - 
to lock Zeppelin in [urls] to one user (or a few users).


Thank you,
Ruslan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shiro.ini [urls] authorization: lock to one user

Brian Demers
The UserFiler does take a username as an arg, it only verifies a user's principal exists (authenticated or remembered)

Your best bet is probably to use permissions or roles

Let us know if this isn't what you are looking for

On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[hidden email]> wrote:
Until we have a good multitenancy support in Zeppelin, we'd have to run individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for authentication.

So we were trying to use following shiro.ini configurations:
[urls]
/api/version = anon
/** = user["[hidden email]"]

Also tried 
/** = authc, user["[hidden email]"]

none works in a sense that other users after successful LDAP authentication 
can create their own notebooks in other user's Zeppelin instances.

shiro.ini has [users] and [roles] sections are empty.

[main] section configures LDAP authentication backend which works as 
expected.

[hidden email] is actual user name which is used in LDAP authentication.

How to make [urls] section let only one specific user in?
Again, neither
/** = user["[hidden email]"]
nor 
/** = authc, user["[hidden email]"]
work as we expect - any authenticated user still can access /** (all pages).

LDAP authentication works as expected; we're struggling with authorization - 
to lock Zeppelin in [urls] to one user (or a few users).


Thank you,
Ruslan

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shiro.ini [urls] authorization: lock to one user

Ruslan Dautkhanov
Thank you Brian! Yes, this might do what we're looking for.

Do you have an example how we could define a shiro.ini role for an LDAP user?

I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for other reasons we can't use that.

Can we just define a static shiro.ini role just for one/few LDAP user?

Thanks again.



--
Ruslan Dautkhanov

On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[hidden email]> wrote:
The UserFiler does take a username as an arg, it only verifies a user's principal exists (authenticated or remembered)

Your best bet is probably to use permissions or roles

Let us know if this isn't what you are looking for

On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[hidden email]> wrote:
Until we have a good multitenancy support in Zeppelin, we'd have to run individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for authentication.

So we were trying to use following shiro.ini configurations:
[urls]
/api/version = anon
/** = user["[hidden email]"]

Also tried 
/** = authc, user["[hidden email]"]

none works in a sense that other users after successful LDAP authentication 
can create their own notebooks in other user's Zeppelin instances.

shiro.ini has [users] and [roles] sections are empty.

[main] section configures LDAP authentication backend which works as 
expected.

[hidden email] is actual user name which is used in LDAP authentication.

How to make [urls] section let only one specific user in?
Again, neither
/** = user["[hidden email]"]
nor 
/** = authc, user["[hidden email]"]
work as we expect - any authenticated user still can access /** (all pages).

LDAP authentication works as expected; we're struggling with authorization - 
to lock Zeppelin in [urls] to one user (or a few users).


Thank you,
Ruslan


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shiro.ini [urls] authorization: lock to one user

Brian Demers
You have a couple options:

- Extend and include one of the TextConfigurationRealms: change how users are parsed (remove the need for passwords), and return null from 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
- Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
- Create/extend your own realm to handle the storage of your roles/permissions

On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <[hidden email]> wrote:
Thank you Brian! Yes, this might do what we're looking for.

Do you have an example how we could define a shiro.ini role for an LDAP user?

I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for other reasons we can't use that.

Can we just define a static shiro.ini role just for one/few LDAP user?

Thanks again.



--
Ruslan Dautkhanov

On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[hidden email]> wrote:
The UserFiler does take a username as an arg, it only verifies a user's principal exists (authenticated or remembered)

Your best bet is probably to use permissions or roles

Let us know if this isn't what you are looking for

On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[hidden email]> wrote:
Until we have a good multitenancy support in Zeppelin, we'd have to run individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for authentication.

So we were trying to use following shiro.ini configurations:
[urls]
/api/version = anon
/** = user["[hidden email]"]

Also tried 
/** = authc, user["[hidden email]"]

none works in a sense that other users after successful LDAP authentication 
can create their own notebooks in other user's Zeppelin instances.

shiro.ini has [users] and [roles] sections are empty.

[main] section configures LDAP authentication backend which works as 
expected.

[hidden email] is actual user name which is used in LDAP authentication.

How to make [urls] section let only one specific user in?
Again, neither
/** = user["[hidden email]"]
nor 
/** = authc, user["[hidden email]"]
work as we expect - any authenticated user still can access /** (all pages).

LDAP authentication works as expected; we're struggling with authorization - 
to lock Zeppelin in [urls] to one user (or a few users).


Thank you,
Ruslan



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shiro.ini [urls] authorization: lock to one user

Ruslan Dautkhanov
Thank you Brian.

We're using Apache Zeppelin which uses Apache Shiro.
So it's not our own product and we're limited what we can develop.

Will it be possible to have

[users]

So user name [hidden email] will actually will be coming from LDAP authentication.
I've put empty password because it's not INI file that defines authentication, but [users] section
would only bind LDAP user to those local roels (admin in the example above).

If that's possible, then we can do
/** = roles[admin]


Our current actual shiro.ini file is as following:

[main]
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
ldapRealm.contextFactory.environment[ldap.searchBase] = "dc=corp,dc=somecompany,dc=com"
ldapRealm.contextFactory.url = ldap://adlb.corp.somecompany.com:389
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
 
[urls]
/api/version = anon
/** = user["[hidden email]"]

[users] and [roles] sections are currently empty.
Authentication works as expected, but it lets all authenticated users in.
We want to limit one Zeppelin instance to one single user.


Best regards,
Ruslan Dautkhanov


On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers <[hidden email]> wrote:
You have a couple options:

- Extend and include one of the TextConfigurationRealms: change how users are parsed (remove the need for passwords), and return null from 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
- Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
- Create/extend your own realm to handle the storage of your roles/permissions

On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <[hidden email]> wrote:
Thank you Brian! Yes, this might do what we're looking for.

Do you have an example how we could define a shiro.ini role for an LDAP user?

I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for other reasons we can't use that.

Can we just define a static shiro.ini role just for one/few LDAP user?

Thanks again.



--
Ruslan Dautkhanov

On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[hidden email]> wrote:
The UserFiler does take a username as an arg, it only verifies a user's principal exists (authenticated or remembered)

Your best bet is probably to use permissions or roles

Let us know if this isn't what you are looking for

On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[hidden email]> wrote:
Until we have a good multitenancy support in Zeppelin, we'd have to run individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for authentication.

So we were trying to use following shiro.ini configurations:
[urls]
/api/version = anon
/** = user["[hidden email]"]

Also tried 
/** = authc, user["[hidden email]"]

none works in a sense that other users after successful LDAP authentication 
can create their own notebooks in other user's Zeppelin instances.

shiro.ini has [users] and [roles] sections are empty.

[main] section configures LDAP authentication backend which works as 
expected.

[hidden email] is actual user name which is used in LDAP authentication.

How to make [urls] section let only one specific user in?
Again, neither
/** = user["[hidden email]"]
nor 
/** = authc, user["[hidden email]"]
work as we expect - any authenticated user still can access /** (all pages).

LDAP authentication works as expected; we're struggling with authorization - 
to lock Zeppelin in [urls] to one user (or a few users).


Thank you,
Ruslan




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shiro.ini [urls] authorization: lock to one user

Brian Demers
If you enabled the IniRealm, users would likely be able to login without a password.  Which is why you would need to extend/create a realm that only added additional Authorization, and NOT Authentication. 

On Fri, Dec 2, 2016 at 4:14 PM, Ruslan Dautkhanov <[hidden email]> wrote:
Thank you Brian.

We're using Apache Zeppelin which uses Apache Shiro.
So it's not our own product and we're limited what we can develop.

Will it be possible to have

[users]

So user name [hidden email] will actually will be coming from LDAP authentication.
I've put empty password because it's not INI file that defines authentication, but [users] section
would only bind LDAP user to those local roels (admin in the example above).

If that's possible, then we can do
/** = roles[admin]


Our current actual shiro.ini file is as following:

[main]
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
ldapRealm.contextFactory.environment[ldap.searchBase] = "dc=corp,dc=somecompany,dc=com"
ldapRealm.contextFactory.url = ldap://adlb.corp.somecompany.com:389
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
 
[urls]
/api/version = anon
/** = user["[hidden email]"]

[users] and [roles] sections are currently empty.
Authentication works as expected, but it lets all authenticated users in.
We want to limit one Zeppelin instance to one single user.


Best regards,
Ruslan Dautkhanov


On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers <[hidden email]> wrote:
You have a couple options:

- Extend and include one of the TextConfigurationRealms: change how users are parsed (remove the need for passwords), and return null from 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
- Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
- Create/extend your own realm to handle the storage of your roles/permissions

On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <[hidden email]> wrote:
Thank you Brian! Yes, this might do what we're looking for.

Do you have an example how we could define a shiro.ini role for an LDAP user?

I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for other reasons we can't use that.

Can we just define a static shiro.ini role just for one/few LDAP user?

Thanks again.



--
Ruslan Dautkhanov

On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[hidden email]> wrote:
The UserFiler does take a username as an arg, it only verifies a user's principal exists (authenticated or remembered)

Your best bet is probably to use permissions or roles

Let us know if this isn't what you are looking for

On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[hidden email]> wrote:
Until we have a good multitenancy support in Zeppelin, we'd have to run individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for authentication.

So we were trying to use following shiro.ini configurations:
[urls]
/api/version = anon
/** = user["[hidden email]"]

Also tried 
/** = authc, user["[hidden email]"]

none works in a sense that other users after successful LDAP authentication 
can create their own notebooks in other user's Zeppelin instances.

shiro.ini has [users] and [roles] sections are empty.

[main] section configures LDAP authentication backend which works as 
expected.

[hidden email] is actual user name which is used in LDAP authentication.

How to make [urls] section let only one specific user in?
Again, neither
/** = user["[hidden email]"]
nor 
/** = authc, user["[hidden email]"]
work as we expect - any authenticated user still can access /** (all pages).

LDAP authentication works as expected; we're struggling with authorization - 
to lock Zeppelin in [urls] to one user (or a few users).


Thank you,
Ruslan





Loading...