Until we have a good multitenancy support in Zeppelin, we'd have to run individual Zeppelin instances for each user. Apache Zeppelin uses Shiro for authentication.
So we were trying to use following shiro.ini configurations:
none works in a sense that other users after successful LDAP authentication
can create their own notebooks in other user's Zeppelin instances.
shiro.ini has [users] and [roles] sections are empty.
[main] section configures LDAP authentication backend which works as
How to make [urls] section let only one specific user in?
work as we expect - any authenticated user still can access /** (all pages).
LDAP authentication works as expected; we're struggling with authorization -
to lock Zeppelin in [urls] to one user (or a few users).
The UserFiler does take a username as an arg, it only verifies a user's principal exists (authenticated or remembered)
Let us know if this isn't what you are looking for
On Wed, Nov 30, 2016 at 6:08 PM, Ruslan Dautkhanov <[hidden email]> wrote:
Thank you Brian! Yes, this might do what we're looking for.
Do you have an example how we could define a shiro.ini role for an LDAP user?
I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for other reasons we can't use that.
Can we just define a static shiro.ini role just for one/few LDAP user?
On Thu, Dec 1, 2016 at 8:56 AM, Brian Demers <[hidden email]> wrote:
You have a couple options:
- Extend and include one of the TextConfigurationRealms: change how users are parsed (remove the need for passwords), and return null from 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization.
- Extend the LDAP realm, creating a custom doGetAuthorizationInfo() method
- Create/extend your own realm to handle the storage of your roles/permissions
On Fri, Dec 2, 2016 at 2:23 AM, Ruslan Dautkhanov <[hidden email]> wrote:
Thank you Brian.
We're using Apache Zeppelin which uses Apache Shiro.
So it's not our own product and we're limited what we can develop.
Will it be possible to have
[hidden email] = ,admin
So user name [hidden email] will actually will be coming from LDAP authentication.
I've put empty password because it's not INI file that defines authentication, but [users] section
would only bind LDAP user to those local roels (admin in the example above).
If that's possible, then we can do
/** = roles[admin]
Our current actual shiro.ini file is as following:
[users] and [roles] sections are currently empty.
Authentication works as expected, but it lets all authenticated users in.
We want to limit one Zeppelin instance to one single user.
On Fri, Dec 2, 2016 at 7:47 AM, Brian Demers <[hidden email]> wrote:
If you enabled the IniRealm, users would likely be able to login without a password. Which is why you would need to extend/create a realm that only added additional Authorization, and NOT Authentication.
On Fri, Dec 2, 2016 at 4:14 PM, Ruslan Dautkhanov <[hidden email]> wrote:
|Free forum by Nabble||Edit this page|