Hi All, We are also hitting this issue with version 0.7.0.
We have tried changing the search base so that a filter is used, and only certain users who are a member of a group are allowed to login, however this doesn't have an effect. We have also tried to use activeDirectoryRealm.groupRolesMap, so that we force users to map to a zeppelin role, based on an AD group they are in. However when logging in, the logs show the following: "roles":"[]" Has anyone gotten shiro to work with AD and locking down who can login via AD groups? At the moment it seems that if you have an account in AD, you can login to Zeppelin, and there is no way to stop this. Thanks! On Thu, Sep 8, 2016 at 1:41 AM, Polina Marasanova < [email protected]> wrote: > Hi everyone, > > I'm experiencing exactly same problem with Zeppelin 0.6.0 > It shiro plugin lets everyone in and it cannot be limited by searchbase. > Here is an example of my config. In fact it lets everyone in from OU=Users. > > [main] > ### A sample for configuring Active Directory Realm > activeDirectoryRealm = org.apache.zeppelin.server. > ActiveDirectoryGroupRealm > activeDirectoryRealm.systemUsername = userNameA > activeDirectoryRealm.systemPassword = passwordA > activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software > Development,OU=Users,DC=companyname,DC=local" > activeDirectoryRealm.principalSuffix = @companyname.local > activeDirectoryRealm.url = ldap://ldap-server.local:389 > activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software > Development,OU=Users,DC=companyname,DC=local":"admin" > activeDirectoryRealm.authorizationCachingEnabled = false > securityManager.realms = $activeDirectoryRealm > > > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.globalSessionTimeout = 86400000 > shiro.loginUrl = /api/login > > Could you please take care of this issue. We are seriously blocked by it, > but really want to start using 0.6.0 > > Cheers > Thanks > Polina Marasanova > ________________________________________ > From: Weipu Zhao [[email protected]] > Sent: Sunday, 21 August 2016 4:37 AM > To: [email protected]; [email protected] > Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase > to login > > Hi guys, > > When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my > shiro realm on v0.6.0, I have trouble understanding the searchBase config. > My understanding was shiro should only allow user within that searchBase to > login, but seems like not the case. When I trace the code of > ActiveDirectoryGroupRealm.java, the only place searchBase was used is in > method getRoleNamesForUser<https://github.com/apache/zeppelin/ > blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/ > ActiveDirectoryGroupRealm.java#L162> , if the user is not inside > searchBase, a empty roleNames will be return and without any exception, > thus the user will be login I guess? > > I'm not sure if this is expected behaviour or not. I also tried the v0.6.1 > and seems also have same behaviour. In general I just want to restrict user > only in certain groups of ActiveDirectory to be able to login. Is that > possible without rewriting our own Realm? > > Thanks, > Weipu > > >
