These two committed fixes aren't in 0.8.0 https://github.com/apache/zeppelin/pull/3045 https://github.com/apache/zeppelin/pull/3037 S ee if one of them is relevant to your issue.
-- Ruslan Dautkhanov On Mon, Jul 9, 2018 at 9:24 AM András Kolbert <kolbertand...@gmail.com> wrote: > The latest, 0.8 > > On Mon, 9 Jul 2018, 17:21 Ruslan Dautkhanov, <dautkha...@gmail.com> wrote: > >> Which version of Zeppelin you're using? >> If it's 0.7, try 0.8 I remember seeing some issues were fixed in 0.8 and >> in master regarding this AD/LDAP groups... >> >> -- >> Ruslan Dautkhanov >> >> >> On Mon, Jul 9, 2018 at 3:23 AM kolbertand...@gmail.com < >> kolbertand...@gmail.com> wrote: >> >>> Hi, >>> >>> We've been trying to add the right shiro configuration to ensure that a >>> specific AD group can only log in, and also differentiate roles. We got two >>> working solutions, but the first let's in everyone within the active >>> directory (but the roles work fine), the second does not let in everyone >>> but the roles do not work. >>> >>> 1) >>> This version works for the adding roles to the specific CNs but allows >>> everyone to login. >>> >>> activeDirectoryRealm = >>> org.apache.zeppelin.realm.ActiveDirectoryGroupRealm >>> activeDirectoryRealm.systemUsername = aduser >>> activeDirectoryRealm.hadoopSecurityCredentialPath = >>> jceks://file/user/zeppelin/conf/zeppelin.jceks >>> activeDirectoryRealm.searchBase = OU=User Accounts,DC=domain,DC=local >>> activeDirectoryRealm.url = ldap://AD.domain.local:389 >>> activeDirectoryRealm.groupRolesMap = "CN=admins,OU=User >>> Accounts,DC=domain,DC=local":"admin" >>> activeDirectoryRealm.authorizationCachingEnabled = false >>> activeDirectoryRealm.principalSuffix = @domain.local >>> securityManager.realms = $activeDirectoryRealm >>> >>> 2) >>> This version limits down the login to the specified AD group, but does >>> not associates roles with the group. >>> ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm >>> ldapADGCRealm.contextFactory.systemUsername = aduser@domain.local >>> ldapADGCRealm.hadoopSecurityCredentialPath = >>> jceks://file/user/zeppelin/conf/zeppelinldap.jceks >>> ldapADGCRealm.searchBase = "OU=User Accounts,DC=domain,DC=local" >>> ldapADGCRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local" >>> ldapADGCRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local" >>> ldapADGCRealm.groupObjectClass = group >>> ldapADGCRealm.memberAttribute = memberUid >>> ldapADGCRealm.groupIdAttribute = cn >>> ldapADGCRealm.groupSearchEnableMatchingRuleInChain = true >>> ldapADGCRealm.rolesByGroup = users: admin >>> ldapADGCRealm.userSearchFilter = >>> (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User >>> Accounts,DC=domain,DC=local)) >>> ldapADGCRealm.contextFactory.url = ldap://AD.domain.local:389 (edited) >>> >>> >>> >>> Related posts: >>> >>> https://community.hortonworks.com/questions/54896/zeppelin-ad-users-not-binded-to-groups.html >>> >>> https://community.hortonworks.com/questions/82135/how-to-limit-access-to-zeppelin-webui-based-for-sp.html >>> >>> Any ideas where we go wrong? >>> >>> Thanks, >>> Andras >>> >>