Hi Vinay. Thank you for your advice. But the thing I'm looking is not how to limit a particular note. I would like to disallow *creation* of new notes to some users. I don't know how to do it currently. For now I can either disallow complete access to Zeppelin, or give access together with creating new nodes. Do you have an idea how to achieve it?
Thanks, Krzysztof pt., 15.07.2016 o 17:20 użytkownik Vinay Shukla <vinayshu...@gmail.com> napisał: > Krzysztof, > > Today access control is configured at the Note level & not done a-priori > in the shiro.ini. > > You configure authentication in shiro.ini & the notebook creator can set > access control by clicking the lock icon on the notebook. > > Thanks, > Vinay > > > > On Friday, July 15, 2016, Krzysztof Zarzycki <k.zarzy...@gmail.com> wrote: > >> Hi, >> I'm configuring security for Zeppelin and I would like to be able to >> restrict access the following way: >> 1. only admins are able to create new notebooks >> 2. everyone logged in can read notebooks. (Actually, finally this should >> be also limited to the group). >> 3. anonymous access is forbidden. >> >> I thought that I can do it with urls and roles, by specifying which urls >> a particular role can access, but I'm unable to make it work. >> >> My current configuration of shiro.ini looks like this: >> [main] >> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm >> adRealm.url = ldap://ad.server:389 >> adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin" >> adRealm.searchBase = dc=example,dc=com >> adRealm.systemUsername= systemUser >> adRealm.systemPassword= systemPassword >> adRealm.principalSuffix= @example.com >> adRealm.authorizationCachingEnabled = true >> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager >> securityManager.sessionManager = $sessionManager >> securityManager.sessionManager.globalSessionTimeout = 86400000 >> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager >> securityManager.cacheManager = $cacheManager >> securityManager.realms = $adRealm >> shiro.loginUrl = /api/login >> >> [roles] >> >> admin = * >> >> [urls] >> /api/version = anon >> # I've tried multiple url filters: >> /api/interpreter/** = authcBasic, roles[admin] >> /api/notebook** = authcBasic, roles[admin] >> /api/notebook/** = authcBasic, roles[admin] >> /"#"/notebook/** = authcBasic, roles[admin] >> /** = authcBasic >> # I tried also above lines with authc, no success. >> >> # Only this option successfully limits access to admins, but of whole >> Zeppelin, not only notebook creation. >> /** = authcBasic, roles[admin] >> >> With this configuration, I log in as non-admin user and I'm still able to >> create new notebooks... >> Could you please help me configure Zeppelin to achieve my goal? >> >> Thanks a lot, >> Krzysztof >> >
