You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@zeppelin.apache.org by Michał Kabocik <mi...@gmail.com> on 2017/01/27 11:32:02 UTC

How group based authentication works with shiro?

Dears,

I'm trying to configure shiro to authenticate users from AD and to limit
access to login to webui for specific group.

Here's my shiro.ini config:

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = user
activeDirectoryRealm.systemPassword = password
activeDirectoryRealm.searchBase = "OU=x,OU=x,OU=x,DC=x,DC=x,DC=x"
activeDirectoryRealm.url = ldaps://ldap.domain.com:636
activeDirectoryRealm.groupRolesMap = "CN=HADOOP_GROUP,OU=x,OU=x,OU=
x,OU=x,DC=x,DC=x,DC=x":"role1"
activeDirectoryRealm.authorizationCachingEnabled = false

[roles]
role1 = *

/api/version = anon
#/** = anon
/** = authc

Currently, authentication works for every user who is in search base, so
everyone from search base can login. To limit access, I would like to have
authorization based on specified group, like above.
What am I missing?

I'll appreciate your help.
Kind regards,

-- 
Michał Kabocik

Re: How group based authentication works with shiro?

Posted by Yaar Reuveni <ya...@liveperson.com>.

I got the exact same issue,
Can someone give more info on how this should be used?

Thanks,
Yaar

> On 27 Jan 2017, at 13:32, Michał Kabocik <mi...@gmail.com> wrote:
> 
> Dears,
> 
> I'm trying to configure shiro to authenticate users from AD and to limit access to login to webui for specific group.
> 
> Here's my shiro.ini config:
> 
> activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = user
> activeDirectoryRealm.systemPassword = password
> activeDirectoryRealm.searchBase = "OU=x,OU=x,OU=x,DC=x,DC=x,DC=x"
> activeDirectoryRealm.url = ldaps://ldap.domain.com:636
> activeDirectoryRealm.groupRolesMap = "CN=HADOOP_GROUP,OU=x,OU=x,OU=x,OU=x,DC=x,DC=x,DC=x":"role1"
> activeDirectoryRealm.authorizationCachingEnabled = false
> 
> [roles]
> role1 = *
> 
> /api/version = anon
> #/** = anon
> /** = authc
> 
> Currently, authentication works for every user who is in search base, so everyone from search base can login. To limit access, I would like to have authorization based on specified group, like above.
> What am I missing?
> 
> I'll appreciate your help.
> Kind regards,
> 
> -- 
> Michał Kabocik

-- 
This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this on behalf of the 
addressee you must not use, copy, disclose or take action based on this 
message or any information herein. 
If you have received this message in error, please advise the sender 
immediately by reply email and delete this message. Thank you.