Details
-
Improvement
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
0.7.1
Description
Consider a scenario where a zeppelin-server secured using shiro and needs to permit access to the web interface to a select group of user using ldap groups.
UseCase:
An LDAP server has groups HKG_USERS and UK_USERS but it only needs to allow access to the zeppelin server only to HKG_USERS. Currently this is not possible using the LdapRealm.
A partial workaround for such a scenario is:
/api/login = authc /api/login/logout = authc /api/security/ticket = authc, roles[admin] #To also secure websockets /** = authc, roles[admin]
In this case the user can login but cannot use any api calls if he is not part of the group `admin` the Websockets still work and hence it only works for api calls.
It would be nice to have a method to secure the login for specific `ldapgroups`.
Following is one way to implement this:
We introduce a new property in the shiro.ini
ldapRealm.allowedRolesForAuthentication = admin,user
In the LdapRealm during authentication we also verify that at least one of the allowed roles match with the roles of the authenticated principal.
Attachments
Issue Links
- links to