Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HOW CAN I RETRIEVE LDAP GROUP FOR ZEPPELIN 0.8 ?

avatar
Contributor

Hi everyone,

I've been trying to find out if we can give to LDAP groups some roles ( admin and user ) but without succes.

I'm puting down below my shiro config. It's working but when I'm logged in zeppelin as member of an admin group, the web UI

is telling me that i don't have permission on the interpreter, credential, etc ... page.

Anyone have a clue ?

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
# To enable admin user, uncomment the following line and set an appropriate password.
#admin = password1, admin
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2


[main]


ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername=cn=UserBind,ou=Services,dc=domain,dc=company
ldapRealm.contextFactory.systemPassword=PassWord
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://ldap-server:389
ldapRealm.userDnTemplate =uid={0},ou=Users,dc=domain,dc=company


# Ability to set ldap paging Size if needed; default is 100
ldapRealm.pagingSize=200
ldapRealm.authorizationEnabled=true
ldapRealm.searchBase=dc=domain,dc=company
ldapRealm.userSearchBase=dc=domain,dc=company
ldapRealm.groupSearchBase=ou=Groups,dc=domain,dc=company
ldapRealm.userObjectClass=posixAccount
ldapRealm.groupObjectClass=posixGroup
ldapRealm.userSearchFilter = (&(objectclass=posixAccount)(uid={0}))
ldapRealm.memberAttribute=memberOf
ldapRealm.userSearchAttributeName = uid
ldapRealm.groupIdAttribute=cn
ldapRealm.userLowerCase = true
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.groupSearchFilter = (&(objectclass=posixGroup)(memberOf={0}))
# Format to parse & search group member values in 'memberAttribute'
ldapRealm.memberAttributeValueTemplate=uid={0},ou=Groups,dc=domain,dc=company


# Map from physical AD groups to logical application roles
#ldapRealm.allowedRolesForAuthentication = admin_role,user_role
ldapRealm.rolesByGroup = "cn=Group-admin,dc=domain,dc=company":"admin_role", "cn=Group-user,dc=domain,dc=company":"user_role"
ldapRealm.permissionsByRole= admin_role:"*", user_role:"*:ToDoItemsJdo:*:*, *:ToDoItem:*:*"
ldapRealm.groupSearchEnableMatchingRuleInChain = true
# Force usernames returned from ldap to lowercase, useful for AD
#ldapRealm.userLowerCase = true


sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionMode=native
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.sessionManager = $sessionManager


##########################################
### A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd
##########################################


sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager


### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager


### Enables 'HttpOnly' flag in Zeppelin cookies
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true
### Uncomment the below line only when Zeppelin is running over HTTPS
#cookie.secure = true
sessionManager.sessionIdCookie = $cookie


#securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
#securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login


[roles]
#admin_role = *
#user_role = *:ToDoItemsJdo:*:*,*:ToDoItem:*:*
#role1 = *
#role2 = *
#role3 = *
#admin = *


[urls]
# This section is used for url-based security. For details see the shiro.ini documentation.
#
# You can secure interpreter, configuration and credential information by urls.
# Comment or uncomment the below urls that you want to hide:
# anon means the access is anonymous.
# authc means form based auth Security.
#
# IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
# in the order they are defined and the FIRST MATCH WINS.
#
# To allow anonymous access to all but the stated urls,
# uncomment the line second last line (/** = anon) and comment the last line (/** = authc)
#
#/api/version = anon
# Allow all authenticated users to restart interpreters on a notebook page.
# Comment out the following line if you would like to authorize only admin users to restart interpreters.
#/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, roles[admin_role,user_role]
/api/configurations/** = authc, roles[admin_role]
/api/credential/** = authc, roles[admin_role]
#/** = anon
/** = authc


this is the log i get when i'm logging in, as you can see the roles part is blank

/api/security/ticket} SecurityRestApi.java[ticket]:88) - {"status":"OK","message":"","body":{"principal":"user","ticket":"22faec60-d905-4757-899e-2a62b6ec7463","roles":"[]"}

Best regards,

Toky

1 ACCEPTED SOLUTION

avatar
New Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4 REPLIES 4

avatar
Master Collaborator
@Toky Raobelina

In url section I see you have configured

  1. /api/interpreter/** = authc, roles[admin_role,user_role]

It should be anyofroles instead of roles. Refer below article to configure correctly

https://community.hortonworks.com/content/supportkb/208060/unable-to-configure-multiple-groups-mappe...

Please accept this answer if it helps you

avatar
Contributor

Hi @scharan,

thanks for your help, i really appreciate it. I've tried this two configuration

the first one :

[main] 

anyofroles = org.apache.zeppelin.utils.AnyOfRolesAuthorizationFilter  

ldapRealm.rolesByGroup = "cn=Group-admin,dc=domain,dc=company":"admin_role", "cn=Group-user,dc=domain,dc=company":"user_role"

[urls] 

/api/interpreter/** = authc, anyofroles[admin_role, user_role]

the second one:

[main] 

anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter

ldapRealm.rolesByGroup = "cn=Group-admin,dc=domain,dc=company":"admin_role", "cn=Group-user,dc=domain,dc=company":"user_role"

[urls] 

/api/interpreter/** = authc, anyofrolesuser[admin_role, user_role]

but none of them changed anything, i still don't have any permission and any roles .

/api/security/ticket} SecurityRestApi.java[ticket]:88) - {"status":"OK","message":"","body":{"principal":"user","ticket":"39f0b948-0f6d-4556-b447-c021ca34c8f6","roles":"[]"}}

I've added my user on both LDAP group but didn't change anything either. But i think i'm close 🙂

Best reagrds,

Toky

avatar
New Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Explorer

This resolved my problem: 

 

"As per the source code it pulls group's cn based on these values. Also comment out below if there is no group inside groups."

 

Instead of putting full DN name, simply put cn name. Thanks. This should be the accepted answer for zeppelin 0.8. 

 

Zeppelin version: 0.8; HDP version: HDP 3.1.4