Hi, https://issues.apache.org/jira/browse/ZEPPELIN-2236 tracks restricting interpreter setting to admin group. And we're trying to solve this problem in 0.8.0 [1]. Please keep an eye on this issue and feel free to make any contributions.
Thanks, moon [1] https://lists.apache.org/thread.html/f4be5635e6e72d2a9dc23771ceeaef8a8e5933bfb14db7cab303bc22@%3Cdev.zeppelin.apache.org%3E On Wed, Apr 12, 2017 at 6:48 PM Arun Khetarpal <akhet...@gmail.com> wrote: > Hi - > > I think the ask is that currently it seems that activeDirectoryGroupRealm > maps each active directory group to a shiro role. Later we can authorize > urls with roles in our urls section of shiro file. > > Our problem is that we don't really have an admin group handy in our AD - > due to which there is a bit of a problem in setting the correct > authorization of some urls. We were able to play around with > ActiveDirectoryGroupRealm and modify in such a way that an internal role is > created for systemUser and then authorize urls for him based on the > internal role. > > Later we placed this modified ActiveDirectoryGroupRealm in Class path and > everything works as expected. So my question is - > > a. Is there a better way provided by zeppelin for users to provide their > own implementation of ActiveDirectoryGroupRealm ? > b. Is the community interested in modifying ActiveDirectoryGroupRealm with > our tweaks ? > > > Regards, > Arun > > > > > On 12 April 2017 at 15:55, Vartul Gupta <vargu...@microsoft.com.invalid> > wrote: > > > Hi Team, > > > > I am trying to setup authentication and authorization for Zeppelin using > > Shiro file. > > Now my question is How we can set Zeppelin interpreter settings to be > > restricted to a particular AD admin user. > > > > Here is the sample of my shiro file . > > > > [main] > > activeDirectoryRealm = > org.apache.zeppelin.realm.ActiveDirectoryGroupRealm > > activeDirectoryRealm.systemUsername = adminuser1 > > activeDirectoryRealm.systemPassword = ^^^^^^ > > #activeDirectoryRealm.hadoopSecurityCredentialPath = > > jceks://user/zeppelin/zeppelin.jceks > > activeDirectoryRealm.searchBase = "OU=AADDC > Users,DC=team2testdomain,DC=testabc > > ,DC=com" > > activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636 > > activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM > > activeDirectoryRealm.groupRolesMap = "OU=AADDC > > Users,DC=team2testdomain,DC= testabc,DC=com":"admin" > > activeDirectoryRealm.authorizationCachingEnabled = true > > sessionManager = > org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > > securityManager.cacheManager = $cacheManager > > securityManager.sessionManager = $sessionManager > > # 86,400,000 milliseconds = 24 hour > > securityManager.sessionManager.globalSessionTimeout = 86400000 > > shiro.loginUrl = /api/login > > > > [urls] > > # anon means the access is anonymous. > > # authcBasic means Basic Auth Security > > # To enfore security, comment the line below and uncomment the next one > > #/** = anon > > /** = authc > > > > Thanks > > Vartul > > >
