Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to configure groups and roles mapping using ldapRealm in Shiro config for Zeppelin ?

avatar
Rising Star

I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated.

10 REPLIES 10

avatar
Contributor

@Ekanthesara Basappa did you figure out on how to achieve this?

avatar
Super Collaborator

@Ekantheshwara Basappa can you share how you configured it with AD? i'm trying to achieve the same with AD.

avatar
Expert Contributor

@Ekantheshwara Basappa

Groups and roles mapping using ldapRealm in shiro is not supported as per Zeppelin 0.6.0 version. What is your HDP version? Below is the Apache Jira:

https://issues.apache.org/jira/browse/ZEPPELIN-1472

The ldap realm will be changed to 'ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm' and you can use 'ldapRealm.rolesByGroup = hdpeng: admin' for group role mapping.

avatar
New Contributor

Hello @Ekantheshwara Basappa
did you find a solution for this issue ? I have the same problem.
I'm in HDP 2.6.2 and zeppelin 0.7.2

avatar
New Contributor

@farhanekarim The feature was added in zeppelin 0.7.0, so you should be able to get it working. There's some documentation on using LdapRealm, but there aren't many examples floating about, best to look at the conf example in the code. Basically you want something like:

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://localhost:33389
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.systemPassword = S{ALIAS=ldcSystemPassword}
ldapRealm.authorizationEnabled = true
ldapRealm.userSearchBase = dc=hadoop,dc=apache,dc=org
ldapRealm.groupSearchBase = ou=groups,dc=hadoop,dc=apache,dc=org
ldapRealm.userObjectClass = person
ldapRealm.groupObjectClass = groupofnames
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute = member
ldapRealm.rolesByGroup = LDN_USERS: user_role, NYK_USERS: user_role, GLOBAL_ADMIN: admin_role
[roles]
user_role = *
admin_role= *

The code for Zeppelin is similar to the Apache Knox codebase, so if you get stuck have a look for Knox LDAP configuration (e.g. here).

avatar
New Contributor

Thanks Scott for your add.
I have already tried this. But the problem is that apache shiro does not retreive group memebership from ldap.
And i think it's a bug in the 0.7.0 of zeppelin: https://issues.apache.org/jira/browse/ZEPPELIN-2796
Unfortunately, this is corrected in the 0.8 version of zeppelin and i don't know when it will be packaged on HDP ?
do you have informations about this ?
thank you

avatar
Guru

@karim farhane,

ZEPPELIN-2796 is included in HDP version 2.6.3 onwards. FYI.

avatar
Master Guru

Have you resolved this? We configured Zeppelin ver. 0.7.0 using LdapRealm and roles are populated. The key properties are

ldapRealm.groupObjectClass=group
ldapRealm.memberAttribute=member
ldapRealm.groupIdAttribute=cn

These are defaults, and I don't have IPA server handy, so please do ldapsearch for one of your groups to confirm. You will see multiple group's classes in the output, select one used for users' groups. "memberAttribute" appears on the left side in the list of group members. And "GroupIdAttribute" is what LdapRealm will return as the group name instead of the "long" ldap name, without any OUs, DCs etc. Use those group names in your "rolesByGroup" and keep the capitals if any. Also restrict as much as possible your "groupSearchBase" and you can also try to increase ldapRealm.pageSize from default 100 to 200 or 300. If you still get no roles post your LdapRealm settings, and a few lines from your ldapsearch.

avatar
New Contributor

Hi Predrag,
We face with the same issues and somehow we can't get it working.
Do you have any idea where we go wrong?
Thanks,
Andras

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername = aduser@domain.local
ldapRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelinldap.jceks
ldapRealm.searchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute = member
ldapRealm.groupIdAttribute = cn
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = users: admin
ldapRealm.userSearchFilter = (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User Accounts,DC=domain,DC=local))
ldapRealm.contextFactory.url = ldap://AD.domain.local:389