Repository: ambari Updated Branches: refs/heads/trunk 7ff9bd429 -> 3db5addb9
AMBARI-20362: Enable Authentication in Zeppelin out of Box (Prabhjyot Singh via r-kamath) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/3db5addb Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/3db5addb Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/3db5addb Branch: refs/heads/trunk Commit: 3db5addb9322b944ed8cc33264ffb505241ba281 Parents: 7ff9bd4 Author: Renjith Kamath <renjith.kam...@gmail.com> Authored: Thu Mar 9 20:40:19 2017 +0530 Committer: Renjith Kamath <renjith.kam...@gmail.com> Committed: Thu Mar 9 20:42:28 2017 +0530 ---------------------------------------------------------------------- .../configuration/zeppelin-shiro-ini.xml | 71 ++++++++++++++------ 1 file changed, 49 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/3db5addb/ambari-server/src/main/resources/common-services/ZEPPELIN/0.6.0.2.5/configuration/zeppelin-shiro-ini.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ZEPPELIN/0.6.0.2.5/configuration/zeppelin-shiro-ini.xml b/ambari-server/src/main/resources/common-services/ZEPPELIN/0.6.0.2.5/configuration/zeppelin-shiro-ini.xml index 3e2da1e..971e4af 100644 --- a/ambari-server/src/main/resources/common-services/ZEPPELIN/0.6.0.2.5/configuration/zeppelin-shiro-ini.xml +++ b/ambari-server/src/main/resources/common-services/ZEPPELIN/0.6.0.2.5/configuration/zeppelin-shiro-ini.xml @@ -24,39 +24,66 @@ [users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections -#admin = password1 -#user1 = password2, role1, role2 -#user2 = password3, role3 -#user3 = password4, role2 +admin = admin, admin +user1 = user1, role1, role2 +user2 = user2, role3 +user3 = user3, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] -#activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm -#activeDirectoryRealm.systemUsername = CN=Administrator,CN=Users,DC=HW,DC=EXAMPLE,DC=COM -#activeDirectoryRealm.systemPassword = Password1! -#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks -#activeDirectoryRealm.searchBase = CN=Users,DC=HW,DC=TEST,DC=COM -#activeDirectoryRealm.url = ldap://ad-nano.test.example.com:389 -#activeDirectoryRealm.groupRolesMap = "" -#activeDirectoryRealm.authorizationCachingEnabled = true - -#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm -#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com -#ldapRealm.contextFactory.url = ldap://ldaphost:389 +### A sample for configuring Active Directory Realm +#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm +#activeDirectoryRealm.systemUsername = userNameA + +#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html +#activeDirectoryRealm.systemPassword = passwordA +#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks +#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM +#activeDirectoryRealm.url = ldap://ldap.test.com:389 +#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" +#activeDirectoryRealm.authorizationCachingEnabled = false + +### A sample for configuring LDAP Directory Realm +#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm +## search base for ldap groups (only relevant for LdapGroupRealm): +#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM +#ldapRealm.contextFactory.url = ldap://ldap.test.com:389 +#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM #ldapRealm.contextFactory.authenticationMechanism = SIMPLE -#sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager -#securityManager.sessionManager = $sessionManager + +### A sample PAM configuration +#pamRealm=org.apache.zeppelin.realm.PamRealm +#pamRealm.service=sshd + + +sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager +### If caching of user is required then uncomment below lines +cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager +securityManager.cacheManager = $cacheManager + +securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour -#securityManager.sessionManager.globalSessionTimeout = 86400000 +securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login +[roles] +role1 = * +role2 = * +role3 = * +admin = * + [urls] +# This section is used for url-based security. +# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. # anon means the access is anonymous. -# authcBasic means Basic Auth Security +# authc means Form based Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon -/** = anon -#/** = authc +#/api/interpreter/** = authc, roles[admin] +#/api/configurations/** = authc, roles[admin] +#/api/credential/** = authc, roles[admin] +#/** = anon +/** = authc </value> <on-ambari-upgrade add="true"/> </property>