Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to restrict specific ActiveDirectory users to access zeppelin

Labels:
avatar
author-rank haaris292
Explorer

Created ‎04-26-2017 01:28 PM

Hi,

I am trying to restrict a specific group of ActiveDirectory users to access zeppelin.

My shiro looks something like below, can you please suggest where i have to add the group name or make the changes so that the group of users are not able to login to zeppelin.

  1. [users]
  2. # List of users with their password allowed to access Zeppelin.
  3. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
  4. #admin = password1
  5. #user1 = password2, role1, role2
  6. #user2 = password3, role3
  7. #user3 = password4, role2
  8. # Sample LDAP configuration, for user Authentication, currently tested for single Realm
  9. [main]
  10. activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
  11. activeDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net
  12. activeDirectoryRealm.systemPassword = badPassword
  13. #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/conf/zeppelin.jceks
  14. activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net
  15. activeDirectoryRealm.url = ldap://ad.example.net:389
  16. activeDirectoryRealm.groupRolesMap = "cn=ldap-admin,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net":"admin"
  17. activeDirectoryRealm.authorizationCachingEnabled =false
  18. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  19. securityManager.sessionManager = $sessionManager
  20. securityManager.realms = $activeDirectoryRealm
  21. # 86,400,000 milliseconds = 24 hour
  22. securityManager.sessionManager.globalSessionTimeout =86400000
  23. shiro.loginUrl =/api/login
  24. [urls]
  25. # anon means the access is anonymous.
  26. # authcBasic means Basic Auth Security
  27. # To enfore security, comment the line below and uncomment the next one
  28. /api/version = anon
  29. #/** = anon
  30. /api/interpreter/** = authc, roles[admin]
  31. /api/configurations/** = authc, roles[admin]
  32. /api/credential/** = authc, roles[admin]
  33. /** = authc

Please suggest,

Thanks

4,485 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rguruvannagari author-rank
Super Collaborator

Created ‎05-28-2017 08:36 AM

@Haaris Khan

In Zeppelin 0.7, HDP2.6 we have new LdapRealm, that allows to specify search filter. With the search filter we can restrict login based on groups. Below is one such example I tested in my lab. Please note that this works only in HDP2.6 or zeppelin 0.7 and above.

In HDP2.5 this was not possible because active directory realm was based on UserPrincipalName attribute and there was no way to filter the users based on groups so login cannot be restricted, but with Authorization(as mentioned by @Vipin Rathor you can restrict the users accessing specific urls based on group role map)

[main]
ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm 
ldapADGCRealm.contextFactory.systemUsername = hadoopadmin@lab.hortonworks.net
ldapADGCRealm.contextFactory.systemPassword = <Password>
ldapADGCRealm.searchBase = "dc=lab,dc=hortonworks,dc=net" 
ldapADGCRealm.userSearchBase = "dc=lab,dc=hortonworks,dc=net"
ldapADGCRealm.userSearchFilter=(&(objectclass=user)(sAMAccountName={0})(|(memberOf=CN=hr,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)(memberOf=CN=hadoop-admins,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)(memberOf=CN=sales,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)))
ldapADGCRealm.contextFactory.url = ldap://LdapServer:389 
#ldapADGCRealm.userSearchAttributeName = sAMAccountName 
ldapADGCRealm.contextFactory.authenticationMechanism = simple 
#ldapADGCRealm.userObjectClass = user 
ldapADGCRealm.groupObjectClass = group 
ldapADGCRealm.memberAttribute = member 
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

View solution in original post

3,221 Views
4 REPLIES 4

avatar
author-rank VR46 author-rank
Guru

Created ‎04-26-2017 06:46 PM

Hello @Haaris Khan,

The following applied to HDP 2.5.3.0 and above. You can restrict AD groups to access different components of Zeppelin (interpreter, configurations, credentials) like this:

1. Add all your AD groups against some role(s). To do this, you have the following in the [main] section:

activeDirectoryRealm.groupRolesMap = "cn=hr,ou=CorpUsers,dc=lab,dc=hortonworks,dc=net":"endusers","cn=legal,ou=CorpUsers,dc=lab,dc=hortonworks,dc=net":"admin","cn=sales,ou=CorpUsers,dc=lab,dc=hortonworks,dc=net":"readonly"

Note: You can create roles with any name that you like.

2. Next, define the access for these roles in the [urls] section:

[urls]
/api/version = anon
/api/interpreter/** = authc, roles[endusers,readonly]
/api/configurations/** = authc, roles[readonly]
/api/credential/** = authc, roles[admin]
/** = authc
#/** = anon

With these two, your LDAP group should be authorized to access the only the specific URLs.

Hope this helps.

3,221 Views
0 Kudos

avatar
author-rank rguruvannagari author-rank
Super Collaborator

Created ‎05-28-2017 08:36 AM

@Haaris Khan

In Zeppelin 0.7, HDP2.6 we have new LdapRealm, that allows to specify search filter. With the search filter we can restrict login based on groups. Below is one such example I tested in my lab. Please note that this works only in HDP2.6 or zeppelin 0.7 and above.

In HDP2.5 this was not possible because active directory realm was based on UserPrincipalName attribute and there was no way to filter the users based on groups so login cannot be restricted, but with Authorization(as mentioned by @Vipin Rathor you can restrict the users accessing specific urls based on group role map)

[main]
ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm 
ldapADGCRealm.contextFactory.systemUsername = hadoopadmin@lab.hortonworks.net
ldapADGCRealm.contextFactory.systemPassword = <Password>
ldapADGCRealm.searchBase = "dc=lab,dc=hortonworks,dc=net" 
ldapADGCRealm.userSearchBase = "dc=lab,dc=hortonworks,dc=net"
ldapADGCRealm.userSearchFilter=(&(objectclass=user)(sAMAccountName={0})(|(memberOf=CN=hr,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)(memberOf=CN=hadoop-admins,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)(memberOf=CN=sales,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net)))
ldapADGCRealm.contextFactory.url = ldap://LdapServer:389 
#ldapADGCRealm.userSearchAttributeName = sAMAccountName 
ldapADGCRealm.contextFactory.authenticationMechanism = simple 
#ldapADGCRealm.userObjectClass = user 
ldapADGCRealm.groupObjectClass = group 
ldapADGCRealm.memberAttribute = member 
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
3,222 Views

avatar
author-rank VR46 author-rank
Guru

Created ‎05-28-2017 11:52 AM

Thanks @rguruvannagari for the mention. That pushed me to write my pending article. I cover the new LDAP/AD options available in Apache Zeppelin 0.7.0 / HDP 2.6 in this article. Please check.

3,221 Views
0 Kudos

avatar
author-rank haaris292
Explorer

Created ‎06-19-2017 07:43 AM

Thanks @rguruvannagari, your suggestion works perfectly fine for me in HDP2.6 - zeppelin 0.7

3,221 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements