Krzysztof, Today access control is configured at the Note level & not done a-priori in the shiro.ini.
You configure authentication in shiro.ini & the notebook creator can set access control by clicking the lock icon on the notebook. Thanks, Vinay On Friday, July 15, 2016, Krzysztof Zarzycki <k.zarzy...@gmail.com> wrote: > Hi, > I'm configuring security for Zeppelin and I would like to be able to > restrict access the following way: > 1. only admins are able to create new notebooks > 2. everyone logged in can read notebooks. (Actually, finally this should > be also limited to the group). > 3. anonymous access is forbidden. > > I thought that I can do it with urls and roles, by specifying which urls a > particular role can access, but I'm unable to make it work. > > My current configuration of shiro.ini looks like this: > [main] > adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm > adRealm.url = ldap://ad.server:389 > adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin" > adRealm.searchBase = dc=example,dc=com > adRealm.systemUsername= systemUser > adRealm.systemPassword= systemPassword > adRealm.principalSuffix= @example.com > adRealm.authorizationCachingEnabled = true > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.globalSessionTimeout = 86400000 > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > securityManager.cacheManager = $cacheManager > securityManager.realms = $adRealm > shiro.loginUrl = /api/login > > [roles] > > admin = * > > [urls] > /api/version = anon > # I've tried multiple url filters: > /api/interpreter/** = authcBasic, roles[admin] > /api/notebook** = authcBasic, roles[admin] > /api/notebook/** = authcBasic, roles[admin] > /"#"/notebook/** = authcBasic, roles[admin] > /** = authcBasic > # I tried also above lines with authc, no success. > > # Only this option successfully limits access to admins, but of whole > Zeppelin, not only notebook creation. > /** = authcBasic, roles[admin] > > With this configuration, I log in as non-admin user and I'm still able to > create new notebooks... > Could you please help me configure Zeppelin to achieve my goal? > > Thanks a lot, > Krzysztof >
