Arun Khetarpal created ZEPPELIN-2913:
----------------------------------------
Summary: ActiveDirectoryGroupRealm to support creating a role for
system user
Key: ZEPPELIN-2913
URL: https://issues.apache.org/jira/browse/ZEPPELIN-2913
Project: Zeppelin
Issue Type: Improvement
Components: zeppelin-server
Affects Versions: 0.7.2
Reporter: Arun Khetarpal
In secure HDInsight clusters we don't have any admin user group(s) created
/expected to be there in AD. But we have a single admin user given as part of
the cluster creation. This admin user alone supposed to get access to zeppelin
interpreter settings and configurations.
We need a way to configure a single user (can be same user configured in
activeDirectoryRealm.systemUsername) as admin in shiro and give him access to
configs and settings. Note: Here we don't want to configure that admin user's
password in plain text rather via jceks
(activeDirectoryRealm.hadoopSecurityCredentialPath)
Configuration like below will not work for us - as we don't have a group in AD
with only admins (and few of our customers deploying the cluster in the AD may
not have that to begin with or will not be willing to do that)
{code}
[main]
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = adminuser1
activeDirectoryRealm.hadoopSecurityCredentialPath =
jceks://etc/zeppelin/conf/zeppelin.jceks
activeDirectoryRealm.searchBase = "DC=team2testdomain,DC=onmicrosoft,DC=com"
activeDirectoryRealm.url = ldaps://team2testdomain.onmicrosoft.com:636
activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.ONMICROSOFT.COM
activeDirectoryRealm.groupRolesMap = "OU=AADDC
Users,DC=team2testdomain,DC=onmicrosoft,DC=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = true
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc
{code}
Proposing {code} activeDirectoryRealm.systemUserInternalRoleName {code} which
will be a role created specifically for system user
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
