- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Zeppelin notebook permissions not effective
- Labels:
-
Apache Zeppelin
Created 05-01-2017 12:17 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks.
I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner. When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user. Below mentioned is my Shiro configuration:
[users]
admin = password1
[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = user1
activeDirectoryRealm.systemPassword = pwd
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks
activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com
activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636
activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true
activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
securityManager.realms = $activeDirectoryRealm
[roles]
admin = *
[urls]
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon /** = authc
I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook:
DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true])
DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1
DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2
DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << [] INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX
INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN]
DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>}
However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs:
DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com]
DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin]
The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version. Please see the defect URL here: https://github.com/apache/zeppelin/pull/986
Any help is appreciated.
Created 05-14-2017 10:45 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config.
Created 05-02-2017 01:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try adding this config in your [urls] section and restart zeppelin
/api/notebook/** = authc
Created 05-02-2017 03:33 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Kshitij for your response.
I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1.
Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group.
Do you have any suggestion for me to trouble shoot this ?
Created 05-14-2017 10:45 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config.