Zeppelin notebook permissions not effective

ekanthb — Mon, 01 May 2017 07:17:59 GMT

I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks.

I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner. When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user. Below mentioned is my Shiro configuration:

[users]

admin = password1

[main]

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername = user1

activeDirectoryRealm.systemPassword = pwd

#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks

activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com

activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636

activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true

activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager = $sessionManager

securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

securityManager.realms = $activeDirectoryRealm

[roles]

admin = *

[urls]

/api/version = anon

/api/interpreter/** = authc, roles[admin]

/api/configurations/** = authc, roles[admin]

/api/credential/** = authc, roles[admin]

#/** = anon /** = authc

I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook:

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true])

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2

DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << [] INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX

INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN]

DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>}

However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs:

DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com]

DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin]

The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version. Please see the defect URL here: https://github.com/apache/zeppelin/pull/986

Any help is appreciated.

Re: Zeppelin notebook permissions not effective

kbadani — Tue, 02 May 2017 08:00:16 GMT

@Ekantheshwara Basappa

Can you try adding this config in your [urls] section and restart zeppelin

/api/notebook/** = authc

Re: Zeppelin notebook permissions not effective

ekanthb — Tue, 02 May 2017 10:33:40 GMT

@Kshitij Badani

Thanks Kshitij for your response.

I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1.

Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group.

Do you have any suggestion for me to trouble shoot this ?

Re: Zeppelin notebook permissions not effective

ekanthb — Mon, 15 May 2017 05:45:36 GMT

The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config.

question Re: Zeppelin notebook permissions not effective in Support Questions

Zeppelin notebook permissions not effective

Re: Zeppelin notebook permissions not effective

Re: Zeppelin notebook permissions not effective

Re: Zeppelin notebook permissions not effective