ZEPPELIN-2825 - Add documentation for supporting any of the Shiro roles

2026-05-24 09:38:26 +00:00 · 2017-08-02 16:23:20 -07:00 · 2017-08-02 16:23:20 -07:00 · 3f49d8413c
commit 3f49d8413c
parent c5fc9deac9
1 changed files with 20 additions and 0 deletions
--- a/docs/setup/security/shiro_authentication.md
+++ b/docs/setup/security/shiro_authentication.md
@ -226,6 +226,26 @@ Since Shiro provides **url-based security**, you can hide the information by com
 In this case, only who have `admin` role can see **Interpreter Setting**, **Credential** and **Configuration** information.
 If you want to grant this permission to other users, you can change **roles[ ]** as you defined at `[users]` section.

+### Apply multiple roles in Shiro configuration
+By default, Shiro will allow access to a URL if only user is part of all the roles defined like this:
+```
+[urls]
+
+/api/interpreter/** = authc, roles[admin, role1]
+```
+
+If there is a need that user with "any of the defined roles" should be allowed, then following Shiro configuration can be used:
+```
+[main]
+anyofroles = org.apache.zeppelin.utils.AnyOfRolesAuthorizationFilter
+
+[urls]
+
+/api/interpreter/** = authc, anyofroles[admin, role1]
+/api/configurations/** = authc, roles[admin]
+/api/credential/** = authc, roles[admin]
+```
+
 <br/>
 > **NOTE :** All of the above configurations are defined in the `conf/shiro.ini` file.