Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Zeppelin notebook permissions not effective

Rising Star

I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks.

I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner. When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user. Below mentioned is my Shiro configuration:


admin = password1


activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername = user1

activeDirectoryRealm.systemPassword = pwd

#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks

activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com

activeDirectoryRealm.url = ldaps://

activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true

activeDirectoryRealm.principalSuffix =

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager = $sessionManager

securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

securityManager.realms = $activeDirectoryRealm


admin = *


/api/version = anon

/api/interpreter/** = authc, roles[admin]

/api/configurations/** = authc, roles[admin]

/api/credential/** = authc, roles[admin]

#/** = anon /** = authc

I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook:

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15}[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true])

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15}[onMessage]:106) - RECEIVE << GET_NOTE DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15}[onMessage]:107) - RECEIVE PRINCIPAL << user1

DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15}[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2

DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15}[onMessage]:109) - RECEIVE ROLES << [] INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15}[sendNote]:423) - New operation from : 49895 : user1 : GET_NOTE : 2CC4Z4DEX

INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15}[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN]

DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15}[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"","roles":""}>>>}

However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs:

DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting}[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com]

DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting}[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin]

The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version. Please see the defect URL here:

Any help is appreciated.


Rising Star

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community


@Ekantheshwara Basappa

Can you try adding this config in your [urls] section and restart zeppelin

/api/notebook/** = authc

Rising Star

@Kshitij Badani

Thanks Kshitij for your response.

I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1.

Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group.

Do you have any suggestion for me to trouble shoot this ?

Rising Star

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community