Support Questions

ekanthb · ‎06-27-2017

I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated.

goutham_koneru · ‎07-10-2017

@Ekanthesara Basappa did you figure out on how to achieve this?

chrsvarma · ‎07-11-2017

@Ekantheshwara Basappa can you share how you configured it with AD? i'm trying to achieve the same with AD.

lraheja · ‎07-11-2017

@Ekantheshwara Basappa

Groups and roles mapping using ldapRealm in shiro is not supported as per Zeppelin 0.6.0 version. What is your HDP version? Below is the Apache Jira:

https://issues.apache.org/jira/browse/ZEPPELIN-1472

The ldap realm will be changed to 'ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm' and you can use 'ldapRealm.rolesByGroup = hdpeng: admin' for group role mapping.

farhanekarim · ‎10-18-2017

Hello @Ekantheshwara Basappa
did you find a solution for this issue ? I have the same problem.
I'm in HDP 2.6.2 and zeppelin 0.7.2

s_fischaber · ‎11-03-2017

@farhanekarim The feature was added in zeppelin 0.7.0, so you should be able to get it working. There's some documentation on using LdapRealm, but there aren't many examples floating about, best to look at the conf example in the code. Basically you want something like:

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://localhost:33389
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.systemPassword = S{ALIAS=ldcSystemPassword}
ldapRealm.authorizationEnabled = true
ldapRealm.userSearchBase = dc=hadoop,dc=apache,dc=org
ldapRealm.groupSearchBase = ou=groups,dc=hadoop,dc=apache,dc=org
ldapRealm.userObjectClass = person
ldapRealm.groupObjectClass = groupofnames
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute = member
ldapRealm.rolesByGroup = LDN_USERS: user_role, NYK_USERS: user_role, GLOBAL_ADMIN: admin_role

[roles]
user_role = *
admin_role= *

The code for Zeppelin is similar to the Apache Knox codebase, so if you get stuck have a look for Knox LDAP configuration (e.g. here).

farhanekarim · ‎11-06-2017

Thanks Scott for your add.
I have already tried this. But the problem is that apache shiro does not retreive group memebership from ldap.
And i think it's a bug in the 0.7.0 of zeppelin: https://issues.apache.org/jira/browse/ZEPPELIN-2796
Unfortunately, this is corrected in the 0.8 version of zeppelin and i don't know when it will be packaged on HDP ?
do you have informations about this ?
thank you

VR46 · ‎05-15-2018

@karim farhane,

ZEPPELIN-2796 is included in HDP version 2.6.3 onwards. FYI.

pminovic · ‎06-12-2018

Have you resolved this? We configured Zeppelin ver. 0.7.0 using LdapRealm and roles are populated. The key properties are

ldapRealm.groupObjectClass=group
ldapRealm.memberAttribute=member
ldapRealm.groupIdAttribute=cn

These are defaults, and I don't have IPA server handy, so please do ldapsearch for one of your groups to confirm. You will see multiple group's classes in the output, select one used for users' groups. "memberAttribute" appears on the left side in the list of group members. And "GroupIdAttribute" is what LdapRealm will return as the group name instead of the "long" ldap name, without any OUs, DCs etc. Use those group names in your "rolesByGroup" and keep the capitals if any. Also restrict as much as possible your "groupSearchBase" and you can also try to increase ldapRealm.pageSize from default 100 to 200 or 300. If you still get no roles post your LdapRealm settings, and a few lines from your ldapsearch.

andras1234 · ‎07-10-2018

Hi Predrag,
We face with the same issues and somehow we can't get it working.
Do you have any idea where we go wrong?
Thanks,
Andras

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername = aduser@domain.local
ldapRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelinldap.jceks
ldapRealm.searchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute = member
ldapRealm.groupIdAttribute = cn
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = users: admin
ldapRealm.userSearchFilter = (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User Accounts,DC=domain,DC=local))
ldapRealm.contextFactory.url = ldap://AD.domain.local:389

Cloudera Community

Support Questions

How to configure groups and roles mapping using ldapRealm in Shiro config for Zeppelin ?

Zeppelin user role mapping using Active Directory

How to create config groups using Ambari APIs?

Zeppelin LDAP Configuration

HDP 2.6+ - Configuring Zeppelin for Active Directo...

Dedicate hiveservers to different group of users o...

Configure Anaconda with Zeppelin and HDP 3.0.1

Ranger KMS user group mapping

How to configure your spark application to use Mon...

Zeppelin Open LDAP 389 Configuration

How to resolve Ambari DB inconsistency - You have ...