Hello, I've connected my Zeppelin server via LDAP for user authentication. This works fine for auth, the problem is that I can't figure how roles are attached to a user, I need to set "bigdata" group as admins, Over the past week I have tried many different configurations and searched online for a solution without success.
Does anyone have experience with this? Any information or link would be highly appreciated! Thank you *shiro.ini:* ### A sample for configuring LDAP Directory Realm ldapRealm = org.apache.zeppelin.realm.LdapRealm ldapRealm.contextFactory.url = ldap://1.2.3.4:389 ldapRealm.userDnTemplate = {0}@kenshooprd.local ldapRealm.contextFactory.authenticationMechanism = simple ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local" ldapRealm.contextFactory.systemPassword = XXXXXXX ldapRealm.authorizationEnabled = true ldapRealm.rolesByGroup = "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin" ldapRealm.rolesByGroup = bigdata: admin ldapRealm.groupSearchBase = "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin" securityManager.realms = $ldapRealm ldapRealm.groupSearchEnableMatchingRuleInChain = true *Logs:* TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 - /api/login] TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} ThreadContext.java[get]:133) - Retrieved value of type [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread [qtp1418428263-15 - /api/login] TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} DelegatingSubject.java[getSession]:317) - attempting to get session; create = false; session is null = false; session has id = true TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login} AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to retrieve session with key org.apache.shiro.web.session.mgt.WebSessionKey@2573f425 WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login} LoginRestApi.java[postLogin]:206) - {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817", "roles":"[]"}} DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login} HttpConnection.java[process]:657) - org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1 200 OK,118,false},cb=org.eclipse.jetty .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER (null,[p=0,l=118,c=8192,r=118],true)@START DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} Parser.java[parse]:257) - SERVER Parsed Frame: TEXT[len=109,fin=true,rsv=...,masked=true] DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} Parser.java[notifyFrame]:186) - SERVER Notify ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection] DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true]) DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS, RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET << 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE DATA << null TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12} NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null, op=LIST_CONFIGURATIONS} DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op": "CONFIG... "roles": ""\n}>>>} DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12} ExtensionStack.java[outgoingFrame]:288) - Queuing TEXT[len=6199,fin=true,rsv=...,masked=false] *LDAP settings for user:* [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D ldap@kenshooprd.local -w xxxxx -b "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local" dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local objectClass: top objectClass: group cn: bigdata member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local instanceType: 4 whenCreated: 20161129171457.0Z whenChanged: 20181004121722.0Z uSNCreated: 93111898 uSNChanged: 276782631 name: bigdata objectGUID:: bBMye2mox0+hDkddqds1+g== objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA== sAMAccountName: bigdata sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local dSCorePropagationData: 20170723142935.0Z dSCorePropagationData: 20170723142620.0Z dSCorePropagationData: 16010101000417.0Z -- *[ Eyal Hashai ]* Database Administrator - Big Data Team // *Kenshoo* *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473* <eyal.has...@kenshoo.com>* *eyal.has...@kenshoo.com <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>* _______________________________________ *www.Kenshoo.com* <http://kenshoo.com/> * <eyal.has...@kenshoo.com>* <http://kenshoo.com/> -- This e-mail, as well as any attached document, may contain material which is confidential and privileged and may include trademark, copyright and other intellectual property rights that are proprietary to Kenshoo Ltd, its subsidiaries or affiliates ("Kenshoo"). This e-mail and its attachments may be read, copied and used only by the addressee for the purpose(s) for which it was disclosed herein. If you have received it in error, please destroy the message and any attachment, and contact us immediately. If you are not the intended recipient, be aware that any review, reliance, disclosure, copying, distribution or use of the contents of this message without Kenshoo's express permission is strictly prohibited.
