Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-2539

Allow group/role based authentication in Zeppelin

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 0.7.1
    • Fix Version/s: 0.7.2, 0.8.0
    • Component/s: zeppelin-server
    • Labels:

      Description

      Consider a scenario where a zeppelin-server secured using shiro and needs to permit access to the web interface to a select group of user using ldap groups.

      UseCase:
      An LDAP server has groups HKG_USERS and UK_USERS but it only needs to allow access to the zeppelin server only to HKG_USERS. Currently this is not possible using the LdapRealm.

      A partial workaround for such a scenario is:

      /api/login = authc
      /api/login/logout = authc
      /api/security/ticket = authc, roles[admin] #To also secure websockets
      /** = authc, roles[admin]
      

      In this case the user can login but cannot use any api calls if he is not part of the group `admin` the Websockets still work and hence it only works for api calls.

      It would be nice to have a method to secure the login for specific `ldapgroups`.

      Following is one way to implement this:
      We introduce a new property in the shiro.ini

      ldapRealm.allowedRolesForAuthentication = admin,user
      

      In the LdapRealm during authentication we also verify that at least one of the allowed roles match with the roles of the authenticated principal.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sohaibiftikhar Sohaib Iftikhar
                Reporter:
                sohaibiftikhar Sohaib Iftikhar
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: