Support Questions

raobelina_toky_ · ‎11-28-2018

Hi everyone,

I've been trying to find out if we can give to LDAP groups some roles ( admin and user ) but without succes.

I'm puting down below my shiro config. It's working but when I'm logged in zeppelin as member of an admin group, the web UI

is telling me that i don't have permission on the interpreter, credential, etc ... page.

Anyone have a clue ?

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
# To enable admin user, uncomment the following line and set an appropriate password.
#admin = password1, admin
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2


[main]


ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername=cn=UserBind,ou=Services,dc=domain,dc=company
ldapRealm.contextFactory.systemPassword=PassWord
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://ldap-server:389
ldapRealm.userDnTemplate =uid={0},ou=Users,dc=domain,dc=company


# Ability to set ldap paging Size if needed; default is 100
ldapRealm.pagingSize=200
ldapRealm.authorizationEnabled=true
ldapRealm.searchBase=dc=domain,dc=company
ldapRealm.userSearchBase=dc=domain,dc=company
ldapRealm.groupSearchBase=ou=Groups,dc=domain,dc=company
ldapRealm.userObjectClass=posixAccount
ldapRealm.groupObjectClass=posixGroup
ldapRealm.userSearchFilter = (&(objectclass=posixAccount)(uid={0}))
ldapRealm.memberAttribute=memberOf
ldapRealm.userSearchAttributeName = uid
ldapRealm.groupIdAttribute=cn
ldapRealm.userLowerCase = true
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.groupSearchFilter = (&(objectclass=posixGroup)(memberOf={0}))
# Format to parse & search group member values in 'memberAttribute'
ldapRealm.memberAttributeValueTemplate=uid={0},ou=Groups,dc=domain,dc=company


# Map from physical AD groups to logical application roles
#ldapRealm.allowedRolesForAuthentication = admin_role,user_role
ldapRealm.rolesByGroup = "cn=Group-admin,dc=domain,dc=company":"admin_role", "cn=Group-user,dc=domain,dc=company":"user_role"
ldapRealm.permissionsByRole= admin_role:"*", user_role:"*:ToDoItemsJdo:*:*, *:ToDoItem:*:*"
ldapRealm.groupSearchEnableMatchingRuleInChain = true
# Force usernames returned from ldap to lowercase, useful for AD
#ldapRealm.userLowerCase = true


sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionMode=native
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.sessionManager = $sessionManager


##########################################
### A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd
##########################################


sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager


### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager


### Enables 'HttpOnly' flag in Zeppelin cookies
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true
### Uncomment the below line only when Zeppelin is running over HTTPS
#cookie.secure = true
sessionManager.sessionIdCookie = $cookie


#securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
#securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login


[roles]
#admin_role = *
#user_role = *:ToDoItemsJdo:*:*,*:ToDoItem:*:*
#role1 = *
#role2 = *
#role3 = *
#admin = *


[urls]
# This section is used for url-based security. For details see the shiro.ini documentation.
#
# You can secure interpreter, configuration and credential information by urls.
# Comment or uncomment the below urls that you want to hide:
# anon means the access is anonymous.
# authc means form based auth Security.
#
# IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
# in the order they are defined and the FIRST MATCH WINS.
#
# To allow anonymous access to all but the stated urls,
# uncomment the line second last line (/** = anon) and comment the last line (/** = authc)
#
#/api/version = anon
# Allow all authenticated users to restart interpreters on a notebook page.
# Comment out the following line if you would like to authorize only admin users to restart interpreters.
#/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, roles[admin_role,user_role]
/api/configurations/** = authc, roles[admin_role]
/api/credential/** = authc, roles[admin_role]
#/** = anon
/** = authc

this is the log i get when i'm logging in, as you can see the roles part is blank

/api/security/ticket} SecurityRestApi.java[ticket]:88) - {"status":"OK","message":"","body":{"principal":"user","ticket":"22faec60-d905-4757-899e-2a62b6ec7463","roles":"[]"}

Best regards,

Toky

ElephantAdmin · ‎08-29-2019

Hi @raobelina_toky_ Is this setup done?

Else Please try out below steps.

Step1:

In rolesByGroup please specify only the group's cn and not the full. Change "cn=Group-admin,dc=domain,dc=company": to Group-admin:admin_role

Step2:

Validate your group search base path ldapRealm.groupSearchBase and group Object class name and memberAttribute.

For instance if your

ldapRealm.groupSearchBase = dc=domain, dc=company

ldapRealm.groupObjectClass = posixGroup

ldapRealm.memberAttribute = member

As per the source code it pulls group's cn based on these values. Also comment out below if there is no group inside groups.

# Enable support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator
#ldapRealm.groupSearchEnableMatchingRuleInChain = true

To cross verify your settings try using ldapsearch this comes as part of ldap-utils package.

Replace the values in <> and try search.

ldapsearch -h <ldapHost> -p <ldapport> -D <ldapRealm.contextFactory.systemUsername> -w <bind user password> -b <groupSearchBase> -s sub "(objectclass=<groupObjectClass>)"

View solution in original post

Scharan · ‎11-28-2018

@Toky Raobelina

In url section I see you have configured

/api/interpreter/** = authc, roles[admin_role,user_role]

It should be anyofroles instead of roles. Refer below article to configure correctly

https://community.hortonworks.com/content/supportkb/208060/unable-to-configure-multiple-groups-mappe...

Please accept this answer if it helps you

raobelina_toky_ · ‎11-29-2018

Hi @scharan,

thanks for your help, i really appreciate it. I've tried this two configuration

the first one :

[main] 

anyofroles = org.apache.zeppelin.utils.AnyOfRolesAuthorizationFilter  

ldapRealm.rolesByGroup = "cn=Group-admin,dc=domain,dc=company":"admin_role", "cn=Group-user,dc=domain,dc=company":"user_role"

[urls] 

/api/interpreter/** = authc, anyofroles[admin_role, user_role]

the second one:

[main] 

anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter

ldapRealm.rolesByGroup = "cn=Group-admin,dc=domain,dc=company":"admin_role", "cn=Group-user,dc=domain,dc=company":"user_role"

[urls] 

/api/interpreter/** = authc, anyofrolesuser[admin_role, user_role]

but none of them changed anything, i still don't have any permission and any roles .

/api/security/ticket} SecurityRestApi.java[ticket]:88) - {"status":"OK","message":"","body":{"principal":"user","ticket":"39f0b948-0f6d-4556-b447-c021ca34c8f6","roles":"[]"}}

I've added my user on both LDAP group but didn't change anything either. But i think i'm close 🙂

Best reagrds,