Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to restrict specific ActiveDirectory users to access zeppelin

avatar
Explorer

Hi,

I am trying to restrict a specific group of ActiveDirectory users to access zeppelin.

My shiro looks something like below, can you please suggest where i have to add the group name or make the changes so that the group of users are not able to login to zeppelin.

  1. [users]
  2. # List of users with their password allowed to access Zeppelin.
  3. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
  4. #admin = password1
  5. #user1 = password2, role1, role2
  6. #user2 = password3, role3
  7. #user3 = password4, role2
  8. # Sample LDAP configuration, for user Authentication, currently tested for single Realm
  9. [main]
  10. activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
  11. activeDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net
  12. activeDirectoryRealm.systemPassword = badPassword
  13. #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/conf/zeppelin.jceks
  14. activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net
  15. activeDirectoryRealm.url = ldap://ad.example.net:389
  16. activeDirectoryRealm.groupRolesMap = "cn=ldap-admin,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net":"admin"
  17. activeDirectoryRealm.authorizationCachingEnabled =false
  18. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  19. securityManager.sessionManager = $sessionManager
  20. securityManager.realms = $activeDirectoryRealm
  21. # 86,400,000 milliseconds = 24 hour
  22. securityManager.sessionManager.globalSessionTimeout =86400000
  23. shiro.loginUrl =/api/login
  24. [urls]
  25. # anon means the access is anonymous.
  26. # authcBasic means Basic Auth Security
  27. # To enfore security, comment the line below and uncomment the next one
  28. /api/version = anon
  29. #/** = anon
  30. /api/interpreter/** = authc, roles[admin]
  31. /api/configurations/** = authc, roles[admin]
  32. /api/credential/** = authc, roles[admin]
  33. /** = authc

Please suggest,

Thanks

1 ACCEPTED SOLUTION

avatar
Super Collaborator
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4 REPLIES 4

avatar
Guru

Hello @Haaris Khan,

The following applied to HDP 2.5.3.0 and above. You can restrict AD groups to access different components of Zeppelin (interpreter, configurations, credentials) like this:

1. Add all your AD groups against some role(s). To do this, you have the following in the [main] section:

activeDirectoryRealm.groupRolesMap = "cn=hr,ou=CorpUsers,dc=lab,dc=hortonworks,dc=net":"endusers","cn=legal,ou=CorpUsers,dc=lab,dc=hortonworks,dc=net":"admin","cn=sales,ou=CorpUsers,dc=lab,dc=hortonworks,dc=net":"readonly"

Note: You can create roles with any name that you like.

2. Next, define the access for these roles in the [urls] section:

[urls]
/api/version = anon
/api/interpreter/** = authc, roles[endusers,readonly]
/api/configurations/** = authc, roles[readonly]
/api/credential/** = authc, roles[admin]
/** = authc
#/** = anon

With these two, your LDAP group should be authorized to access the only the specific URLs.

Hope this helps.

avatar
Super Collaborator
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Guru

Thanks @rguruvannagari for the mention. That pushed me to write my pending article. I cover the new LDAP/AD options available in Apache Zeppelin 0.7.0 / HDP 2.6 in this article. Please check.

avatar
Explorer

Thanks @rguruvannagari, your suggestion works perfectly fine for me in HDP2.6 - zeppelin 0.7