You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by "LINZ, Arnaud" <AL...@bouyguestelecom.fr> on 2018/03/08 16:14:10 UTC
Multiple groups in shiro config for url restriction
Hello,
I try to restrict the interpreter configuration page to some specific groups.
/api/interpreter/** = authc, roles[admin1]
works fine, but I have *multiple* ldap groups to authorize.
I've tried :
/api/interpreter/** = authc, roles[admin1,admin2]
/api/interpreter/** = authc, roles[admin1, admin2]
/api/interpreter/** = authc, roles[admin1;admin2]
/api/interpreter/** = authc, roles[admin1; admin2]
/api/interpreter/** = authc, roles[admin1 | admin2]
/api/interpreter/** = authc, roles[admin1], roles[admin2]
But none works => it denies access to everybody.
How can I do this ?
Best regards,
Arnaud
________________________________
L'intégrité de ce message n'étant pas assurée sur internet, la société expéditrice ne peut être tenue responsable de son contenu ni de ses pièces jointes. Toute utilisation ou diffusion non autorisée est interdite. Si vous n'êtes pas destinataire de ce message, merci de le détruire et d'avertir l'expéditeur.
The integrity of this message cannot be guaranteed on the Internet. The company that sent this message cannot therefore be held liable for its content nor attachments. Any unauthorized use or dissemination is prohibited. If you are not the intended recipient of this message, then please delete it and notify the sender.
Multiple groups in shiro config for url restriction
Posted by Paul Brenner <pb...@placeiq.com>.
We ran into roles issues in 0.7.x versions of Zeppelin. If you are using 0.7.x this might be causing your trouble:
https://issues.apache.org/jira/browse/ZEPPELIN-2640 ( https://share.polymail.io/v1/z/b/NWFhMTYxZmMxMWQ1/KUqx4IB8b_XDPr0u5Cb_-XEPoV2u_ZnkESc2dHVKJUJCXEk3OG_xpqibs6KRDGgwS19o5AjWfNV4qX8MwE7bHtYNxXrVNoagmNd9yxPfyPUfUjEFcfLZm75A6h0HQM_wCr363BGXvlbCalxboZVCTiwG5LCXrPmwJnDr3VsbmFM6k1ZibyxtZCWjiRcT0dPQ0nM2pKiaKNfL6RBwrFJmMaztfwjWDyLG )
This issue finally pushed us over the edge to try building 0.8.0 again.
( http://www.placeiq.com/ ) ( http://www.placeiq.com/ ) ( http://www.placeiq.com/ ) *Paul Brenner* ( https://twitter.com/placeiq ) ( https://twitter.com/placeiq ) ( https://twitter.com/placeiq ) ( https://www.facebook.com/PlaceIQ ) ( https://www.facebook.com/PlaceIQ ) ( https://www.linkedin.com/company/placeiq ) ( https://www.linkedin.com/company/placeiq ) DATA SCIENTIST (217) 390-3033
( http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ ) ( http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ ) ( http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ ) ( http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ ) ( http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ ) ( http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ ) ( http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ ) ( http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ ) ( http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ ) ( http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ ) ( http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ ) ( http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP ) ( http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ ) ( http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ ) ( http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ ) ( http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ ) ( https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/ ) ( http://pages.placeiq.com/CES2018_MeetingRequest.html ) PlaceIQ:CES 2018 ( http://pages.placeiq.com/2017-Integrated-Marketing-Whitepaper_LP_Download.html )
On Thu, Mar 08, 2018 at 11:14 AM LINZ Arnaud < LINZ Arnaud ( LINZ Arnaud <AL...@bouyguestelecom.fr> ) > wrote:
>
>
>
> Hello,
>
> I try to restrict the interpreter configuration page to some specific
> groups.
>
> /api/interpreter/** = authc, roles[admin1]
>
> works fine, but I have *multiple* ldap groups to authorize.
>
> I've tried :
>
> /api/interpreter/** = authc, roles[admin1,admin2]
> /api/interpreter/** = authc, roles[admin1, admin2]
> /api/interpreter/** = authc, roles[admin1;admin2]
> /api/interpreter/** = authc, roles[admin1; admin2]
> /api/interpreter/** = authc, roles[admin1 | admin2]
> /api/interpreter/** = authc, roles[admin1], roles[admin2]
>
> But none works => it denies access to everybody.
>
> How can I do this ?
>
> Best regards,
> Arnaud
>
> ________________________________
>
> L'intégrité de ce message n'étant pas assurée sur internet, la société
> expéditrice ne peut être tenue responsable de son contenu ni de ses pièces
> jointes. Toute utilisation ou diffusion non autorisée est interdite. Si
> vous n'êtes pas destinataire de ce message, merci de le détruire et
> d'avertir l'expéditeur.
>
> The integrity of this message cannot be guaranteed on the Internet. The
> company that sent this message cannot therefore be held liable for its
> content nor attachments. Any unauthorized use or dissemination is
> prohibited. If you are not the intended recipient of this message, then
> please delete it and notify the sender.
>
>
>
RE: Multiple groups in shiro config for url restriction
Posted by "LINZ, Arnaud" <AL...@bouyguestelecom.fr>.
Hi,
I've found an answer here :
https://stackoverflow.com/questions/14980703/apache-shiro-allowing-multiple-roles-to-access-a-url-not-working
Shiro performs a "and", which does not make any sense in the general case...
Is there a custom "or" filter implemented in Zeppelin ? If not, that would be a great idea, as it's not a good practice to patch every software you want to install.
-----Message d'origine-----
De : LINZ, Arnaud
Envoyé : jeudi 8 mars 2018 17:14
À : 'users@zeppelin.apache.org' <us...@zeppelin.apache.org>
Objet : Multiple groups in shiro config for url restriction
Hello,
I try to restrict the interpreter configuration page to some specific groups.
/api/interpreter/** = authc, roles[admin1]
works fine, but I have *multiple* ldap groups to authorize.
I've tried :
/api/interpreter/** = authc, roles[admin1,admin2]
/api/interpreter/** = authc, roles[admin1, admin2]
/api/interpreter/** = authc, roles[admin1;admin2]
/api/interpreter/** = authc, roles[admin1; admin2]
/api/interpreter/** = authc, roles[admin1 | admin2]
/api/interpreter/** = authc, roles[admin1], roles[admin2]
But none works => it denies access to everybody.
How can I do this ?
Best regards,
Arnaud
________________________________
L'intégrité de ce message n'étant pas assurée sur internet, la société expéditrice ne peut être tenue responsable de son contenu ni de ses pièces jointes. Toute utilisation ou diffusion non autorisée est interdite. Si vous n'êtes pas destinataire de ce message, merci de le détruire et d'avertir l'expéditeur.
The integrity of this message cannot be guaranteed on the Internet. The company that sent this message cannot therefore be held liable for its content nor attachments. Any unauthorized use or dissemination is prohibited. If you are not the intended recipient of this message, then please delete it and notify the sender.