https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199343#M68413 <P><A rel="user" href="https://community.cloudera.com/users/17146/shota.html" nodeid="17146">@Shota Akhalaia</A> Can you try once to configure [urls] section as mentioned in this example document: <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-example.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-example.html</A> ?</P><P>I am just wondering whether order of this line matters in shiro.ini : /** = authc ?</P> Fri, 22 Sep 2017 03:17:20 GMT kbadani 2017-09-22T03:17:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199342#M68412 <P>Hello guys</P><P>I have zeppelin component in the HDP and configured shiro for active directory auth(LdapRealm)</P><P>I also have set uesr search filter by group(only specified groups can login in the zeppelin web interface) and have created 2 roles: admins and users, but I think the roles does not works at all</P><P>roles configuration I have in the shiro.ini like that:</P><PRE>[roles] admin = * users = *:ToDoItemsJdo:*:*,*:ToDoItem:*:* </PRE><P>goal is that I do not want users to access some configurations in the zeppelin for example restrict access interpreter configs</P><P>I have url config too:</P><PRE>[urls] /** = authc **/interpreter/** = authc, roles[admin] **/configuration/** = authc, roles[admin] </PRE><P>but this does not works either, all loged in users have access to everything <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P><P>in the [main] section:</P><PRE>ldapRealm.rolesByGroup = "Admins":admin,"Users":users</PRE><P>user search by group works, only this 2 group members can login("Admins" and "Users" in the ActiveDirectory)</P><P>Any ideas?</P><P>P.S. here is version numbers: Installed Packages Name : zeppelin_2_6_1_0_129 Arch : noarch Version : 0.7.0.2.6.1.0</P><P>Thank you</P> Thu, 21 Sep 2017 20:20:17 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199342#M68412 shota 2017-09-21T20:20:17Z https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199343#M68413 <P><A rel="user" href="https://community.cloudera.com/users/17146/shota.html" nodeid="17146">@Shota Akhalaia</A> Can you try once to configure [urls] section as mentioned in this example document: <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-example.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-example.html</A> ?</P><P>I am just wondering whether order of this line matters in shiro.ini : /** = authc ?</P> Fri, 22 Sep 2017 03:17:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199343#M68413 kbadani 2017-09-22T03:17:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199344#M68414 <P>Thank you for reply</P><P>ok here is my new config for urls:</P><PRE>[urls] /** = authc /api/interpreter/** = authc, roles[admin] /api/configuration/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon<BR /></PRE><P>but everyone has access to everything anyway</P><P>does [urls] and [roles] sections works for LdapRealm?</P> Fri, 22 Sep 2017 19:28:43 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199344#M68414 shota 2017-09-22T19:28:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199345#M68415 <P>P.S. also there is some warnings in the /var/log/zeppelin/zeppelin-zeppelin-zeppelin.node.log</P><PRE> WARN [2017-09-22 16:29:38,301] ({qtp760563749-56} JAXRSUtils.java[findTargetMethod]:499) - No operation matching request path "/api/login" is found, Relative Path: /, HTTP Method: GET, ContentType: */*, Accept: application/json,text/plain,*/*,. Please enable FINE/TRACE log level for more details. WARN [2017-09-22 16:29:38,302] ({qtp760563749-56} WebApplicationExceptionMapper.java[toResponse]:73) - javax.ws.rs.ClientErrorException at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503) at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:218) at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXR etc ... ----------------------------- WARN [2017-09-22 16:29:47,865] ({qtp760563749-26} JAXRSUtils.java[findTargetMethod]:499) - No operation matching request path "/api/login;JSESSIONID=a26c09a0-e86d-4e56-97ae-ac3e8d45a057" is found, Relative Path: /, HTTP Method: GET, ContentType: */*, Accept: application/json,text/plain,*/*,. Please enable FINE/TRACE log level for more details. WARN [2017-09-22 16:29:47,866] ({qtp760563749-26} WebApplicationExceptionMapper.java[toResponse]:73) - javax.ws.rs.ClientErrorException at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503) at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:218) etc... -----------------------------</PRE><P>warnings occurs when user logins in the zeppelin UI</P><P>maybe something wrong with path which starts with "api"?</P><P>where is the path configs for zeppelin?</P> Fri, 22 Sep 2017 19:37:30 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199345#M68415 shota 2017-09-22T19:37:30Z https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199346#M68416 <P><A rel="user" href="https://community.cloudera.com/users/17146/shota.html" nodeid="17146">@Shota Akhalaia</A> My guess is that when you have /** = authc<STRONG> before </STRONG>/api/interpreter/** = authc, roles[admin]</P><P>the authorization that you give to 'admin' users only for <STRONG>/api/interpreter/** </STRONG>is getting overridden by <STRONG>/** = authc </STRONG>which basically allows all apis to be accessible to all roles<STRONG>. </STRONG></P><P>I tried it on my instance, and ordering /** = authc as the first line really makes interpreters page accessible to all the users. Whereas making it as the last line makes it accessible only to the 'admin' users. The linked document also suggests to make it as the last line</P><P>So please try this and let me know if it works</P><PRE>[urls] /api/interpreter/** = authc, roles[admin] /api/configuration/** = authc, roles[admin] /api/credential/** = authc, roles[admin] /** = authc #/** = anon</PRE> Sat, 23 Sep 2017 00:53:15 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199346#M68416 kbadani 2017-09-23T00:53:15Z https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199347#M68417 <P>place /** = authc in the end of [urls] section makes sense, also I made little changes in the ldapRealm.rolesByGroup(before it was incorrect syntax) and now everything is working properly</P><P>place urls by correct order was a key, thank you very much</P> Sat, 23 Sep 2017 15:19:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199347#M68417 shota 2017-09-23T15:19:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199348#M68418 <P>Thank you for letting me know and accepting the answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 26 Sep 2017 01:03:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/zeppelin-users-roles/m-p/199348#M68418 kbadani 2017-09-26T01:03:39Z