Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

How to limit access to Zeppelin WebUI based for specific groups from AD via shiro.ini

Labels:
michal_kabocik
New Contributor

Created ‎02-08-2017 01:11 PM

Dears, I'm trying to configure shiro to authenticate users from AD and to limit access to login to webui for specific group.

Here's my shiro.ini config: 

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm 
activeDirectoryRealm.systemUsername = someuser 
activeDirectoryRealm.systemPassword = somepassword 
activeDirectoryRealm.searchBase = "OU=x,OU=y,OU=z,DC=,DC=x,DC=x" 
activeDirectoryRealm.url = ldaps://ldap.domain.com:636 
activeDirectoryRealm.groupRolesMap = "CN=HADOOP_GROUP,OU=x,OU=y,OU=z,OU=x,DC=x,DC=x,DC=x":"role1" 
activeDirectoryRealm.authorizationCachingEnabled = false 
[roles] 
role1 = * 
/api/version = anon 
#/** = anon 
/** = authc

Currently, authentication works for every user who is in search base, so everyone from search base can login. What I want to achieve is to limit access to specific group so only user which has this group can log in. For testing purposes I created two users. First belongs to group which is listed in groupRolesMap where role1 = * is applied, and the second user belongs to another group, which is not listed in shiro.ini. The problem is that both users can log in, because these users are in the same search base.

Is there any way to limit such access? What am I missing?

I'll appreciate your help. Kind regards,

5,129 Views
5 REPLIES 5

ldaluz
Rising Star

Created ‎03-08-2017 12:31 PM

@Michał Kabocik

You can assign access control filters to the shiro urls to restrict on certain roles, in your case it would look something like this:

[urls]
# authentication method and access control filters
/api/version = anon
/** = authc, roles[role1]

You can even take it a step further limit access to a subset of configuration pages within Zeppelin (i.e, lock down the 'Interpreter' or 'Configurations' page to be used by admins only):

[urls]
# authentication method and access control filters
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc

See the following documentation for an example Zeppelin shiro config that does this:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_zeppelin-component-guide/content/zepp-shi...

2,560 Views

sohaib1692
New Contributor

Created ‎05-12-2017 02:35 PM

This does not work (Zep-0.7). The /login call gets stuck in a recursive loop in this scenario.

2,560 Views
0 Kudos

haaris292
New Contributor

Created ‎04-26-2017 12:35 PM

Hi,

I am trying to restrict a specific group of ActiveDirectory users to access zeppelin.

My shiro looks something like below, can you please suggest where i have to add the group name or make the changes so that the group of users are not able to login to zeppelin.

  1. [users]
  2. # List of users with their password allowed to access Zeppelin.
  3. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
  4. #admin = password1
  5. #user1 = password2, role1, role2
  6. #user2 = password3, role3
  7. #user3 = password4, role2
  8. # Sample LDAP configuration, for user Authentication, currently tested for single Realm
  9. [main]
  10. activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
  11. activeDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net
  12. activeDirectoryRealm.systemPassword = badPassword
  13. #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/conf/zeppelin.jceks
  14. activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net
  15. activeDirectoryRealm.url = ldap://ad.example.net:389
  16. activeDirectoryRealm.groupRolesMap = "cn=ldap-admin,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net":"admin"
  17. activeDirectoryRealm.authorizationCachingEnabled =false
  18. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  19. securityManager.sessionManager = $sessionManager
  20. securityManager.realms = $activeDirectoryRealm
  21. # 86,400,000 milliseconds = 24 hour
  22. securityManager.sessionManager.globalSessionTimeout =86400000
  23. shiro.loginUrl =/api/login
  24. [urls]
  25. # anon means the access is anonymous.
  26. # authcBasic means Basic Auth Security
  27. # To enfore security, comment the line below and uncomment the next one
  28. /api/version = anon
  29. #/** = anon
  30. /api/interpreter/** = authc, roles[admin]
  31. /api/configurations/** = authc, roles[admin]
  32. /api/credential/** = authc, roles[admin]
  33. /** = authc

Please suggest,

Thanks

2,560 Views
0 Kudos

rguruvannagari
Super Collaborator

Created ‎05-28-2017 08:39 AM

@Michał Kabocik @Sohaib Iftikhar

In Zeppelin 0.7, HDP2.6 we have new LdapRealm, that allows to specify search filter. With the search filter we can restrict login based on groups. Below is one such example I tested in my lab. Please note that this works only in HDP2.6 or zeppelin 0.7 and above.

In HDP2.5 this was not possible because active directory realm was based on UserPrincipalName attribute and there was no way to filter the users based on groups so login cannot be restricted, but with Authorization you can restrict the users accessing specific urls based on group role map.

[main]
ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm 
ldapADGCRealm.contextFactory.systemUsername = hadoopadmin@lab.hortonworks.net
ldapADGCRealm.contextFactory.systemPassword = <Password>
ldapADGCRealm.searchBase = "dc=lab,dc=hortonworks,dc=net" 
ldapADGCRealm.userSearchBase = "dc=lab,dc=hortonworks,dc=net"
ldapADGCRealm.userSearchFilter=(&(objectclass=user)(sAMAccountName={0})(|(memberOf=CN=hr,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)(memberOf=CN=hadoop-admins,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)(memberOf=CN=sales,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)))
ldapADGCRealm.contextFactory.url = ldap://LdapServer:389 
#ldapADGCRealm.userSearchAttributeName = sAMAccountName 
ldapADGCRealm.contextFactory.authenticationMechanism = simple 
#ldapADGCRealm.userObjectClass = user 
ldapADGCRealm.groupObjectClass = group 
ldapADGCRealm.memberAttribute = member 
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
2,560 Views

btandel
Explorer

Created ‎07-24-2017 01:17 PM

@rguruvannagari

This what I was looking for, Its perfect. Just one question, I would like to also configure ldapADGCRealm.rolesByGroup so that I can give proper authorization. Do you have any updates ?

2,560 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements