Arun, Can you try the following
1. Enable Zeppelin authentication via shiro if not already. 2. In shiro.ini specify the role that should have access to interpreter settings page. Example below [urls] /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] 3. Map the specific role to LDAP/AD group in shiro.ini [main] section, Example below activeDirectoryRealm.groupRolesMap = "CN=hdpdv_admin,DC=hdpqa,DC=example,DC=com":"admin” 4. Restart Zeppelin. Let the group know how this works for you. Also as Moon mentioned we want to add more access control to Zeppelin and make it easier to configure. Thanks, Vinay On Wed, Apr 12, 2017 at 6:48 PM, Arun Khetarpal <akhet...@gmail.com> wrote: > Hi - > > I think the ask is that currently it seems that activeDirectoryGroupRealm > maps each active directory group to a shiro role. Later we can authorize > urls with roles in our urls section of shiro file. > > Our problem is that we don't really have an admin group handy in our AD - > due to which there is a bit of a problem in setting the correct > authorization of some urls. We were able to play around with > ActiveDirectoryGroupRealm and modify in such a way that an internal role is > created for systemUser and then authorize urls for him based on the > internal role. > > Later we placed this modified ActiveDirectoryGroupRealm in Class path and > everything works as expected. So my question is - > > a. Is there a better way provided by zeppelin for users to provide their > own implementation of ActiveDirectoryGroupRealm ? > b. Is the community interested in modifying ActiveDirectoryGroupRealm with > our tweaks ? > > > Regards, > Arun > > > > > On 12 April 2017 at 15:55, Vartul Gupta <vargu...@microsoft.com.invalid> > wrote: > > > Hi Team, > > > > I am trying to setup authentication and authorization for Zeppelin using > > Shiro file. > > Now my question is How we can set Zeppelin interpreter settings to be > > restricted to a particular AD admin user. > > > > Here is the sample of my shiro file . > > > > [main] > > activeDirectoryRealm = org.apache.zeppelin.realm. > ActiveDirectoryGroupRealm > > activeDirectoryRealm.systemUsername = adminuser1 > > activeDirectoryRealm.systemPassword = ^^^^^^ > > #activeDirectoryRealm.hadoopSecurityCredentialPath = > > jceks://user/zeppelin/zeppelin.jceks > > activeDirectoryRealm.searchBase = "OU=AADDC Users,DC=team2testdomain,DC= > testabc > > ,DC=com" > > activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636 > > activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM > > activeDirectoryRealm.groupRolesMap = "OU=AADDC > > Users,DC=team2testdomain,DC= testabc,DC=com":"admin" > > activeDirectoryRealm.authorizationCachingEnabled = true > > sessionManager = org.apache.shiro.web.session. > mgt.DefaultWebSessionManager > > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > > securityManager.cacheManager = $cacheManager > > securityManager.sessionManager = $sessionManager > > # 86,400,000 milliseconds = 24 hour > > securityManager.sessionManager.globalSessionTimeout = 86400000 > > shiro.loginUrl = /api/login > > > > [urls] > > # anon means the access is anonymous. > > # authcBasic means Basic Auth Security > > # To enfore security, comment the line below and uncomment the next one > > #/** = anon > > /** = authc > > > > Thanks > > Vartul > > >
