Support Questions

Find answers, ask questions, and share your expertise

Zeppelin LDAP authentication filters HDP 2.3.0

Expert Contributor

Hi all!

I can confirm that Zeppelin LDAP authentication works with HDP stack version 2.3.0. The only problem is that when I use LdapGroupRealm with ldapRealm.contextFactory.environment set to OU with groups only, I can access to Zeppelin as users from any other OU and these users are not a members of any group. When I use JndiLdapRealm I have access as users only from OU set in userDnTemplate, which is ok. Below my shiro.ini config for the first situation which I described

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = cn={0},OU=Groups,OU=Zeppelin,DC=MYAD1,DC=COM
ldapRealm.contextFactory.url = ldap://192.168.1.100:389
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#ldapRealm.userDnTemplate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD1,DC=COM

My question is: does default shiro realm (LdapGroupRealm or JndiLdapRealm) support filtering? I would like to filter users to authenticate. Perfectly would be if I could authenticate users by groups they belong to.

Should I use external .jar?

I use Zeppelin 0.6.0 with HDP stack 2.3.0.

1 ACCEPTED SOLUTION

New Contributor

You would need to set ldapRealm.userDnTemplate to map users to roles automatically.

See code at https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/ser...

So LdapGroupRealm does filter for groups automatically

String searchFilter = "(&(objectClass=groupOfNames)(member=" + userDnTemplate + "))";

View solution in original post

2 REPLIES 2

New Contributor

You would need to set ldapRealm.userDnTemplate to map users to roles automatically.

See code at https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/ser...

So LdapGroupRealm does filter for groups automatically

String searchFilter = "(&(objectClass=groupOfNames)(member=" + userDnTemplate + "))";

New Contributor

Hi,

I am trying to restrict a specific group of ActiveDirectory users to access zeppelin.

My shiro looks something like below, can you please suggest where i have to add the group name or make the changes so that the group of users are not able to login to zeppelin.

  1. [users]
  2. # List of users with their password allowed to access Zeppelin.
  3. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
  4. #admin = password1
  5. #user1 = password2, role1, role2
  6. #user2 = password3, role3
  7. #user3 = password4, role2
  8. # Sample LDAP configuration, for user Authentication, currently tested for single Realm
  9. [main]
  10. activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
  11. activeDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net
  12. activeDirectoryRealm.systemPassword = badPassword
  13. #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/conf/zeppelin.jceks
  14. activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net
  15. activeDirectoryRealm.url = ldap://ad.example.net:389
  16. activeDirectoryRealm.groupRolesMap = "cn=ldap-admin,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net":"admin"
  17. activeDirectoryRealm.authorizationCachingEnabled =false
  18. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  19. securityManager.sessionManager = $sessionManager
  20. securityManager.realms = $activeDirectoryRealm
  21. # 86,400,000 milliseconds = 24 hour
  22. securityManager.sessionManager.globalSessionTimeout =86400000
  23. shiro.loginUrl =/api/login
  24. [urls]
  25. # anon means the access is anonymous.
  26. # authcBasic means Basic Auth Security
  27. # To enfore security, comment the line below and uncomment the next one
  28. /api/version = anon
  29. #/** = anon
  30. /api/interpreter/** = authc, roles[admin]
  31. /api/configurations/** = authc, roles[admin]
  32. /api/credential/** = authc, roles[admin]
  33. /** = authc

Please suggest,

Thanks

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.