Consider a scenario where a zeppelin-server secured using shiro and needs to permit access to the web interface to a select group of user using ldap groups.
An LDAP server has groups HKG_USERS and UK_USERS but it only needs to allow access to the zeppelin server only to HKG_USERS. Currently this is not possible using the LdapRealm.
A partial workaround for such a scenario is:
In this case the user can login but cannot use any api calls if he is not part of the group `admin` the Websockets still work and hence it only works for api calls.
It would be nice to have a method to secure the login for specific `ldapgroups`.
Following is one way to implement this:
We introduce a new property in the shiro.ini
In the LdapRealm during authentication we also verify that at least one of the allowed roles match with the roles of the authenticated principal.