Hi Mohit, Does this sound doable to you? Any example implementations you may know to > implement this?
Yes. I found an article "Complete example of custom realm" (link <http://shiro-user.582556.n2.nabble.com/Complete-example-of-custom-realm-td6207177.html>) which you may find useful. On Fri, May 13, 2016 at 8:07 PM, Mohit Gupta <mohit.mail...@gmail.com> wrote: > Hi Prasad, > > I am building the binaries from the zeppelin master branch. I checked that > PR 849 is not there in my build so I will pull the latest changes and build > again and retry. > > We also have similar use-case as you specified in the scheme above but > instead of LDAP server, we have an external authentication system which > exposes REST interface. From zeppelin server, we can send REST calls to > this system containing username/password and this system may respond with > true/false in the response body. Does this sound doable to you? Any example > implementations you may know to implement this? > I am completely new to web space and so looking for referances to > understand the implementation. > > Thanks > Mohit > > On Fri, May 13, 2016 at 10:59 PM, Prasad Wagle <prasadwa...@gmail.com> > wrote: > >> Hi Mohit, >> >> I think https://github.com/apache/incubator-zeppelin/pull/849 fixes the >> problem you found. >> >> How are you getting the 0.6.0 zeppelin binary? Can you send me the link? >> I am not sure if it has PR 849 which has been merged. >> >> I am not very familiar with Shiro. At Twitter we use the scheme mentioned >> in the last paragraph of >> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html >> >> Another option is to have an authentication server that can verify user >> credentials in an LDAP server. If an incoming request to the Zeppelin >> server does not have a cookie with user information encrypted with the >> authentication server public key, the user is redirected to the >> authentication server. Once the user is verified, the authentication server >> redirects the browser to a specific URL in the Zeppelin server which sets >> the authentication cookie in the browser. The end result is that all >> requests to the Zeppelin web server have the authentication cookie which >> contains user and groups information. >> >> Prasad >> >> On Fri, May 13, 2016 at 7:45 AM, Mohit Gupta <mohit.mail...@gmail.com> >> wrote: >> >>> Hi Prasad, >>> >>> Thanks for replying. >>> >>> I found that the erroneous behaviour in this case was due to >>> globalSessionTimeout(in shiro.ini) being too low. I was mistaking it to be >>> in seconds while it should be in msec. Configuring enough time to let >>> session remain active, resolved the problem. >>> >>> However, I did notice that once the permissions, roles have been >>> configured for a new notebook, we are not able to remove the already added >>> users. Logs show that permissions got saved correctly as intended but on >>> clicking the permission tab again, the removed user re-appers. Pls check >>> the attached gif. >>> >>> Also, am looking for an example to configure shiro.ini to allow a >>> third-party restful interface to be used as authentication system(node.js >>> passport system in our case). Pls suggest any pointers if possible. >>> >>> >>> Thanks >>> Mohit >>> >>> >>> >>> On Fri, May 13, 2016 at 7:03 PM, Prasad Wagle <prasadwa...@gmail.com> >>> wrote: >>> >>>> Hi Mohit, >>>> >>>> Re. 3: >>>> >>>> There are probably exceptions in the server log. Can you please send >>>> that? >>>> >>>> > Am using zeppelin-0.6.0 binary package >>>> Can you send me the link to download this? >>>> >>>> Thanks, >>>> Prasad >>>> >>>> On Thu, May 12, 2016 at 11:10 PM, Mohit Gupta <mohit.mail...@gmail.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Can anyone pls give some pointers to below? >>>>> >>>>> >>>>> (1) the timeout works well in shiro.ini but is there any way for user >>>>> to explicitly logout from the connected session? >>>>> >>>>> (2) For the external authentication(passport for node.js) system, I >>>>> forgot to mention that it exposes a Restful interface. So, can we make a >>>>> Rest call from zeppeline server to this system passing username, password >>>>> and the system(passport) will respond with just true or false based on >>>>> whether user is authenticated or not. >>>>> I need some help to implement this using zeppeline-shiro. Any links to >>>>> understand how can we do it? >>>>> >>>>> (3) For the notebook level authentication, it always gives me error >>>>> while trying to save the owner/reader/writer options. Pls check the >>>>> attached screenshot. Steps I did were : logged-in as admin => created a >>>>> notebook as "test4" => entered owner/reader/writer usernames => save >>>>> [gives >>>>> error as insufficeint permission]. Am using zeppelin-0.6.0 binary package. >>>>> >>>>> >>>>> Thanks! >>>>> >>>>> >>>>> On Thu, May 12, 2016 at 4:42 PM, Mohit Gupta <mohit.mail...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Prabhjyot, >>>>>> >>>>>> Thanks very much for the suggestions. I have following follow-ups if >>>>>> you could spare some time on this : >>>>>> >>>>>> (1) the timeout works well in shiro.ini but is there any way for user >>>>>> to explicitly logout from the connected session? >>>>>> >>>>>> (2) For the external authentication(passport for node.js) system, I >>>>>> forgot to mention that it exposes a Restful interface. So, can we make a >>>>>> Rest call from zeppeline server to this system passing username, password >>>>>> and the system(passport) will respond with just true or false based on >>>>>> whether user is authenticated or not. >>>>>> I need some help to implement this using zeppeline-shiro. Any links >>>>>> to understand how can we do it? >>>>>> >>>>>> (3) For the notebook level authentication, it always gives me error >>>>>> while trying to save the owner/reader/writer options. Pls check the >>>>>> attached screenshot. Steps I did were : logged-in as admin => created a >>>>>> notebook as "test4" => entered owner/reader/writer usernames => save >>>>>> [gives >>>>>> error as insufficeint permission]. Am using zeppelin-0.6.0 binary >>>>>> package. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, May 10, 2016 at 4:03 PM, Prabhjyot Singh < >>>>>> prabhjyotsi...@gmail.com> wrote: >>>>>> >>>>>>> Hi Mohit, >>>>>>> >>>>>>> Please find my answers in-line. >>>>>>> >>>>>>> On 10 May 2016 at 15:33, Mohit Gupta <mohit.mail...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> (1) I have recently started trying out Zeppeline and was trying to >>>>>>>> configure the BasicAuth using shiro that comes packaged in the build. >>>>>>>> It works well using the steps given in docs by doing foll : >>>>>>>> >> comment out /** = annon and uncomment /** = authcBasic >>>>>>>> >> turn zeppelin.anonymous.allowed to false >>>>>>>> >>>>>>>> However, once I have logged-in using one of the username/password >>>>>>>> defined in conf/shiro.ini, how do I time-out this session? I want to >>>>>>>> try >>>>>>>> out with different log-ins but it appears that the token generated >>>>>>>> using >>>>>>>> the first successful login gets saved somewhere with the zeppeline >>>>>>>> instance(note.json?) and it gets fetched on doing subsequent accesses. >>>>>>>> I >>>>>>>> have tried cleaning browser cache as well as removing the >>>>>>>> "authenticationInfo" from note.json(Just for finding out where this >>>>>>>> login >>>>>>>> info is coming from) but that doesn't help. >>>>>>>> >>>>>>> >>>>>>> For session timeout you can specify the same in shiro.ini file, >>>>>>> right now its configured as 24Hours, but it can be changed. >>>>>>> >>>>>>> https://github.com/apache/incubator-zeppelin/blob/master/conf/shiro.ini#L35 >>>>>>> But this dosen't work with *authcBasic *you have to use *authc* >>>>>>> >>>>>>> /** = authc >>>>>>> >>>>>>> >>>>>>> >>>>>>>> (2) I am also looking for some example to understand configuring >>>>>>>> zeppeline with an external authentication server. We have a node.js >>>>>>>> passport authentication system and it generates a token on validating >>>>>>>> the >>>>>>>> user. Is it possible to redirect the users coming to zeppline server to >>>>>>>> this authentication server? If yes, is there any sample config to >>>>>>>> understand changes required? >>>>>>>> Also, where do we specify the redirection link for authentication >>>>>>>> server and how do we set the authentication cookie? >>>>>>>> >>>>>>> >>>>>>> For SSO; this document should help you out >>>>>>> http://shiro.apache.org/cas.html. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> (3) Does zeppeline supports keeping notebooks local to a user. i.e. >>>>>>>> notebooks created by user A are not visible/accessible to any other >>>>>>>> user >>>>>>>> like user B? >>>>>>>> >>>>>>>> Yes, it does supports notebook level authorization. Here is a demo >>>>>>> gif. >>>>>>> >>>>>>> https://cloud.githubusercontent.com/assets/870829/12711820/c70fa336-c877-11e5-84e8-e282231988b2.gif >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Pls help with any suggestions. >>>>>>>> >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thankx and Regards, >>>>>>> >>>>>>> Prabhjyot Singh >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >> >> >
