[jira] [Created] (ZEPPELIN-3061) Zeppelin's SecurityUtils.getRoles() is not retreiving roles from Shiro's doGetAuthorizationInfo() for a custom realm.
Jithin Chandran created ZEPPELIN-3061:
Summary: Zeppelin's SecurityUtils.getRoles() is not retreiving roles from Shiro's doGetAuthorizationInfo() for a custom realm.
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3061 Project: Zeppelin
Issue Type: Bug
Reporter: Jithin Chandran
On logging in to Zeppelin, SecurityUtils.getRoles() method is called to retreive the principal and role details. However, the getRoles() method is currently checking and retreiving the roles only if the classname equals "org.apache.shiro.realm.text.IniRealm", or "org.apache.zeppelin.realm.LdapRealm", or "org.apache.zeppelin.realm.ActiveDirectoryGroupRealm".
In the case of a Shiro CAS implementation with a custom realm, the doGetAuthorizationInfo(PrincipalCollection principals) is overriden, and the roles are retreived from the method which are present in principals as attributes. Since the SecurityUtils.getRoles() method is always checking for the classnames with the above mentioned 3 classes, the method is always returning roles as an empty list, regardless of the fact that the roles are present within the Subject in the custom realm.
This message was sent by Atlassian JIRA