一、开启 Shiro 配置
- 在
conf目录下的shiro.ini.template文件为 Shiro 的样例配置文件,我们通过 copy 的方式来创建一个新的配置文件
cd conf/
cp shiro.ini.template shiro.ini
二、配置Shiro
2.1 配置使用明文密码
vim shiro.ini
[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
# To enable admin user, uncomment the following line and set an appropriate password.
# 使用明文密码
admin = admin, admin
luke = luke, analysis
# 配置角色
[roles]
admin = *
analysis = *
# 配置所有 url的访问都需要验证
[urls]
# This section is used for url-based security. For details see the shiro.ini documentation.
#
# You can secure interpreter, configuration and credential information by urls.
# Comment or uncomment the below urls that you want to hide:
# anon means the access is anonymous.
# authc means form based auth Security.
#
# IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
# in the order they are defined and the FIRST MATCH WINS.
#
# To allow anonymous access to all but the stated urls,
# uncomment the line second last line (/** = anon) and comment the last line (/** = authc)
#
/api/version = authc
/api/cluster/address = authc
# Allow all authenticated users to restart interpreters on a notebook page.
# Comment out the following line if you would like to authorize only admin users to restart interpreters.
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, roles[admin]
/api/notebook-repositories/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/admin/** = authc, roles[admin]
#/** = anon
/** = authc
重启服务
./zeppelin-daemon.sh restart
使用admin账号登录成功
image.png
image.png
2.2 为了密码安全,使用加密后的密码
使用 Command Line Hasher 对 用户密码进行加密
## build Command Line Hasher tool
mvn dependency:get -DgroupId=org.apache.shiro.tools -DartifactId=shiro-tools-hasher -Dclassifier=cli -Dversion=1.7.0
## 使用打包好的 tool 对用户进行加密
java -jar ~/.m2/repository/org/apache/shiro/tools/shiro-tools-hasher/1.7.0/shiro-tools-hasher-1.7.0-cli.jar -p
Password to hash:
Password to hash (confirm):
$shiro1$SHA-256$500000$ybTZ7NhAdqsYUyD8ytJ95A==$+LP9EVgd/Dnokwp6V1n8cg1BQHx1J1LlxwCAGX+QLMY=
需要在 [main] 做如下配置,确保 隐式 iniRelam 使用一个 知道如何对安全的哈希密码进行校验的 CredentialsMatcher
[main]
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher
配置用户密码
[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
# To enable admin user, uncomment the following line and set an appropriate password.
admin = $shiro1$SHA-256$500000$ybTZ7NhAdqsYUyD8ytJ95A==$+LP9EVgd/Dnokwp6V1n8cg1BQHx1J1LlxwCAGX+QLMY=, admin
luke = $shiro1$SHA-256$500000$ybTZ7NhAdqsYUyD8ytJ95A==$+LP9EVgd/Dnokwp6V1n8cg1BQHx1J1LlxwCAGX+QLMY=, analysis
重启服务生效
./zeppelin-daemon.sh restart
