Arun Khetarpal created ZEPPELIN-2913: ----------------------------------------
Summary: ActiveDirectoryGroupRealm to support creating a role for system user Key: ZEPPELIN-2913 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2913 Project: Zeppelin Issue Type: Improvement Components: zeppelin-server Affects Versions: 0.7.2 Reporter: Arun Khetarpal In secure HDInsight clusters we don't have any admin user group(s) created /expected to be there in AD. But we have a single admin user given as part of the cluster creation. This admin user alone supposed to get access to zeppelin interpreter settings and configurations. We need a way to configure a single user (can be same user configured in activeDirectoryRealm.systemUsername) as admin in shiro and give him access to configs and settings. Note: Here we don't want to configure that admin user's password in plain text rather via jceks (activeDirectoryRealm.hadoopSecurityCredentialPath) Configuration like below will not work for us - as we don't have a group in AD with only admins (and few of our customers deploying the cluster in the AD may not have that to begin with or will not be willing to do that) {code} [main] activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = adminuser1 activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://etc/zeppelin/conf/zeppelin.jceks activeDirectoryRealm.searchBase = "DC=team2testdomain,DC=onmicrosoft,DC=com" activeDirectoryRealm.url = ldaps://team2testdomain.onmicrosoft.com:636 activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.ONMICROSOFT.COM activeDirectoryRealm.groupRolesMap = "OU=AADDC Users,DC=team2testdomain,DC=onmicrosoft,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [urls] # anon means the access is anonymous. # authcBasic means Basic Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] /** = authc {code} Proposing {code} activeDirectoryRealm.systemUserInternalRoleName {code} which will be a role created specifically for system user -- This message was sent by Atlassian JIRA (v6.4.14#64029)