question Zeppelin LDAP authentication filters HDP 2.3.0 in Archives of Support Questions (Read Only)

Zeppelin LDAP authentication filters HDP 2.3.0

frank93 — Thu, 18 Aug 2016 22:06:25 GMT

Hi all!

I can confirm that Zeppelin LDAP authentication works with HDP stack version 2.3.0. The only problem is that when I use LdapGroupRealm with ldapRealm.contextFactory.environment set to OU with groups only, I can access to Zeppelin as users from any other OU and these users are not a members of any group. When I use JndiLdapRealm I have access as users only from OU set in userDnTemplate, which is ok. Below my shiro.ini config for the first situation which I described

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = cn={0},OU=Groups,OU=Zeppelin,DC=MYAD1,DC=COM
ldapRealm.contextFactory.url = ldap://192.168.1.100:389
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#ldapRealm.userDnTemplate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD1,DC=COM

My question is: does default shiro realm (LdapGroupRealm or JndiLdapRealm) support filtering? I would like to filter users to authenticate. Perfectly would be if I could authenticate users by groups they belong to.

Should I use external .jar?

I use Zeppelin 0.6.0 with HDP stack 2.3.0.

Re: Zeppelin LDAP authentication filters HDP 2.3.0

dautkhanov1 — Tue, 15 Nov 2016 14:14:44 GMT

You would need to set ldapRealm.userDnTemplate to map users to roles automatically.

See code at https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/server/LdapGroupRealm.java

So LdapGroupRealm does filter for groups automatically

String searchFilter = "(&(objectClass=groupOfNames)(member=" + userDnTemplate + "))";

Re: Zeppelin LDAP authentication filters HDP 2.3.0

haaris292 — Wed, 26 Apr 2017 19:35:03 GMT

Hi,

I am trying to restrict a specific group of ActiveDirectory users to access zeppelin.

My shiro looks something like below, can you please suggest where i have to add the group name or make the changes so that the group of users are not able to login to zeppelin.

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
#admin = password1
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net
activeDirectoryRealm.systemPassword = badPassword
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/conf/zeppelin.jceks
activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net
activeDirectoryRealm.url = ldap://ad.example.net:389
activeDirectoryRealm.groupRolesMap = "cn=ldap-admin,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net":"admin"
activeDirectoryRealm.authorizationCachingEnabled =false
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.realms = $activeDirectoryRealm
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout =86400000
shiro.loginUrl =/api/login
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/** = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc

Please suggest,

Thanks