Re: shiro.ini : Zeppelin interpreter authorization: lock to one user
Arun, Can you try the following 1. Enable Zeppelin authentication via shiro if not already. 2. In shiro.ini specify the role that should have access to interpreter settings page. Example below [urls] /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] 3. Map the specific role to LDAP/AD group in shiro.ini [main] section, Example below activeDirectoryRealm.groupRolesMap = "CN=hdpdv_admin,DC=hdpqa,DC=example,DC=com":"admin” 4. Restart Zeppelin. Let the group know how this works for you. Also as Moon mentioned we want to add more access control to Zeppelin and make it easier to configure. Thanks, Vinay On Wed, Apr 12, 2017 at 6:48 PM, Arun Khetarpalwrote: > Hi - > > I think the ask is that currently it seems that activeDirectoryGroupRealm > maps each active directory group to a shiro role. Later we can authorize > urls with roles in our urls section of shiro file. > > Our problem is that we don't really have an admin group handy in our AD - > due to which there is a bit of a problem in setting the correct > authorization of some urls. We were able to play around with > ActiveDirectoryGroupRealm and modify in such a way that an internal role is > created for systemUser and then authorize urls for him based on the > internal role. > > Later we placed this modified ActiveDirectoryGroupRealm in Class path and > everything works as expected. So my question is - > > a. Is there a better way provided by zeppelin for users to provide their > own implementation of ActiveDirectoryGroupRealm ? > b. Is the community interested in modifying ActiveDirectoryGroupRealm with > our tweaks ? > > > Regards, > Arun > > > > > On 12 April 2017 at 15:55, Vartul Gupta > wrote: > > > Hi Team, > > > > I am trying to setup authentication and authorization for Zeppelin using > > Shiro file. > > Now my question is How we can set Zeppelin interpreter settings to be > > restricted to a particular AD admin user. > > > > Here is the sample of my shiro file . > > > > [main] > > activeDirectoryRealm = org.apache.zeppelin.realm. > ActiveDirectoryGroupRealm > > activeDirectoryRealm.systemUsername = adminuser1 > > activeDirectoryRealm.systemPassword = ^^ > > #activeDirectoryRealm.hadoopSecurityCredentialPath = > > jceks://user/zeppelin/zeppelin.jceks > > activeDirectoryRealm.searchBase = "OU=AADDC Users,DC=team2testdomain,DC= > testabc > > ,DC=com" > > activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636 > > activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM > > activeDirectoryRealm.groupRolesMap = "OU=AADDC > > Users,DC=team2testdomain,DC= testabc,DC=com":"admin" > > activeDirectoryRealm.authorizationCachingEnabled = true > > sessionManager = org.apache.shiro.web.session. > mgt.DefaultWebSessionManager > > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > > securityManager.cacheManager = $cacheManager > > securityManager.sessionManager = $sessionManager > > # 86,400,000 milliseconds = 24 hour > > securityManager.sessionManager.globalSessionTimeout = 8640 > > shiro.loginUrl = /api/login > > > > [urls] > > # anon means the access is anonymous. > > # authcBasic means Basic Auth Security > > # To enfore security, comment the line below and uncomment the next one > > #/** = anon > > /** = authc > > > > Thanks > > Vartul > > >
Re: shiro.ini : Zeppelin interpreter authorization: lock to one user
Hi, https://issues.apache.org/jira/browse/ZEPPELIN-2236 tracks restricting interpreter setting to admin group. And we're trying to solve this problem in 0.8.0 [1]. Please keep an eye on this issue and feel free to make any contributions. Thanks, moon [1] https://lists.apache.org/thread.html/f4be5635e6e72d2a9dc23771ceeaef8a8e5933bfb14db7cab303bc22@%3Cdev.zeppelin.apache.org%3E On Wed, Apr 12, 2017 at 6:48 PM Arun Khetarpalwrote: > Hi - > > I think the ask is that currently it seems that activeDirectoryGroupRealm > maps each active directory group to a shiro role. Later we can authorize > urls with roles in our urls section of shiro file. > > Our problem is that we don't really have an admin group handy in our AD - > due to which there is a bit of a problem in setting the correct > authorization of some urls. We were able to play around with > ActiveDirectoryGroupRealm and modify in such a way that an internal role is > created for systemUser and then authorize urls for him based on the > internal role. > > Later we placed this modified ActiveDirectoryGroupRealm in Class path and > everything works as expected. So my question is - > > a. Is there a better way provided by zeppelin for users to provide their > own implementation of ActiveDirectoryGroupRealm ? > b. Is the community interested in modifying ActiveDirectoryGroupRealm with > our tweaks ? > > > Regards, > Arun > > > > > On 12 April 2017 at 15:55, Vartul Gupta > wrote: > > > Hi Team, > > > > I am trying to setup authentication and authorization for Zeppelin using > > Shiro file. > > Now my question is How we can set Zeppelin interpreter settings to be > > restricted to a particular AD admin user. > > > > Here is the sample of my shiro file . > > > > [main] > > activeDirectoryRealm = > org.apache.zeppelin.realm.ActiveDirectoryGroupRealm > > activeDirectoryRealm.systemUsername = adminuser1 > > activeDirectoryRealm.systemPassword = ^^ > > #activeDirectoryRealm.hadoopSecurityCredentialPath = > > jceks://user/zeppelin/zeppelin.jceks > > activeDirectoryRealm.searchBase = "OU=AADDC > Users,DC=team2testdomain,DC=testabc > > ,DC=com" > > activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636 > > activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM > > activeDirectoryRealm.groupRolesMap = "OU=AADDC > > Users,DC=team2testdomain,DC= testabc,DC=com":"admin" > > activeDirectoryRealm.authorizationCachingEnabled = true > > sessionManager = > org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > > securityManager.cacheManager = $cacheManager > > securityManager.sessionManager = $sessionManager > > # 86,400,000 milliseconds = 24 hour > > securityManager.sessionManager.globalSessionTimeout = 8640 > > shiro.loginUrl = /api/login > > > > [urls] > > # anon means the access is anonymous. > > # authcBasic means Basic Auth Security > > # To enfore security, comment the line below and uncomment the next one > > #/** = anon > > /** = authc > > > > Thanks > > Vartul > > >
Re: shiro.ini : Zeppelin interpreter authorization: lock to one user
Hi - I think the ask is that currently it seems that activeDirectoryGroupRealm maps each active directory group to a shiro role. Later we can authorize urls with roles in our urls section of shiro file. Our problem is that we don't really have an admin group handy in our AD - due to which there is a bit of a problem in setting the correct authorization of some urls. We were able to play around with ActiveDirectoryGroupRealm and modify in such a way that an internal role is created for systemUser and then authorize urls for him based on the internal role. Later we placed this modified ActiveDirectoryGroupRealm in Class path and everything works as expected. So my question is - a. Is there a better way provided by zeppelin for users to provide their own implementation of ActiveDirectoryGroupRealm ? b. Is the community interested in modifying ActiveDirectoryGroupRealm with our tweaks ? Regards, Arun On 12 April 2017 at 15:55, Vartul Guptawrote: > Hi Team, > > I am trying to setup authentication and authorization for Zeppelin using > Shiro file. > Now my question is How we can set Zeppelin interpreter settings to be > restricted to a particular AD admin user. > > Here is the sample of my shiro file . > > [main] > activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm > activeDirectoryRealm.systemUsername = adminuser1 > activeDirectoryRealm.systemPassword = ^^ > #activeDirectoryRealm.hadoopSecurityCredentialPath = > jceks://user/zeppelin/zeppelin.jceks > activeDirectoryRealm.searchBase = "OU=AADDC > Users,DC=team2testdomain,DC=testabc > ,DC=com" > activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636 > activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM > activeDirectoryRealm.groupRolesMap = "OU=AADDC > Users,DC=team2testdomain,DC= testabc,DC=com":"admin" > activeDirectoryRealm.authorizationCachingEnabled = true > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > securityManager.cacheManager = $cacheManager > securityManager.sessionManager = $sessionManager > # 86,400,000 milliseconds = 24 hour > securityManager.sessionManager.globalSessionTimeout = 8640 > shiro.loginUrl = /api/login > > [urls] > # anon means the access is anonymous. > # authcBasic means Basic Auth Security > # To enfore security, comment the line below and uncomment the next one > #/** = anon > /** = authc > > Thanks > Vartul >
shiro.ini : Zeppelin interpreter authorization: lock to one user
Hi Team, I am trying to setup authentication and authorization for Zeppelin using Shiro file. Now my question is How we can set Zeppelin interpreter settings to be restricted to a particular AD admin user. Here is the sample of my shiro file . [main] activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = adminuser1 activeDirectoryRealm.systemPassword = ^^ #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = "OU=AADDC Users,DC=team2testdomain,DC=testabc ,DC=com" activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636 activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM activeDirectoryRealm.groupRolesMap = "OU=AADDC Users,DC=team2testdomain,DC= testabc,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 8640 shiro.loginUrl = /api/login [urls] # anon means the access is anonymous. # authcBasic means Basic Auth Security # To enfore security, comment the line below and uncomment the next one #/** = anon /** = authc Thanks Vartul