Hi, I'm configuring security for Zeppelin and I would like to be able to restrict access the following way: 1. only admins are able to create new notebooks 2. everyone logged in can read notebooks. (Actually, finally this should be also limited to the group). 3. anonymous access is forbidden.
I thought that I can do it with urls and roles, by specifying which urls a particular role can access, but I'm unable to make it work. My current configuration of shiro.ini looks like this: [main] adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm adRealm.url = ldap://ad.server:389 adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin" adRealm.searchBase = dc=example,dc=com adRealm.systemUsername= systemUser adRealm.systemPassword= systemPassword adRealm.principalSuffix= @example.com adRealm.authorizationCachingEnabled = true sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.realms = $adRealm shiro.loginUrl = /api/login [roles] admin = * [urls] /api/version = anon # I've tried multiple url filters: /api/interpreter/** = authcBasic, roles[admin] /api/notebook** = authcBasic, roles[admin] /api/notebook/** = authcBasic, roles[admin] /"#"/notebook/** = authcBasic, roles[admin] /** = authcBasic # I tried also above lines with authc, no success. # Only this option successfully limits access to admins, but of whole Zeppelin, not only notebook creation. /** = authcBasic, roles[admin] With this configuration, I log in as non-admin user and I'm still able to create new notebooks... Could you please help me configure Zeppelin to achieve my goal? Thanks a lot, Krzysztof
