Support Questions

I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks.

I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner. When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user. Below mentioned is my Shiro configuration:

[users]

admin = password1

[main]

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername = user1

activeDirectoryRealm.systemPassword = pwd

#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks

activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com

activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636

activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true

activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager = $sessionManager

securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

securityManager.realms = $activeDirectoryRealm

[roles]

admin = *

[urls]

/api/version = anon

/api/interpreter/** = authc, roles[admin]

/api/configurations/** = authc, roles[admin]

/api/credential/** = authc, roles[admin]

#/** = anon /** = authc

I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook:

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true])

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2

DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << [] INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX

INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN]

DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>}

However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs:

DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com]

DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin]

The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version. Please see the defect URL here: https://github.com/apache/zeppelin/pull/986

Any help is appreciated.