Support Questions
Find answers, ask questions, and share your expertise

Zeppelin user role mapping using Active Directory

Solved Go to solution

Zeppelin user role mapping using Active Directory

Hi,

Active Directory users can successfully login to Zeppelin but roles are not mapped to the users.

Here is the shiro.ini configuration:

[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://domain.com:389
adRealm.searchBase = DC=domain,DC=com
adRealm.groupRolesMap = "CN=admins,OU=HWX,DC=domain,DC=com":"admin","CN=users,OU=HWX,DC=domain,DC=com":"users"
adRealm.systemUsername = hwx@DOMAIN.COM
adRealm.systemPassword = XXXXXX
adRealm.principalSuffix = @DOMAIN.COM
adRealm.authorizationCachingEnabled = false
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $adRealm
shiro.loginUrl = /api/login


[roles]
admin = *
users = *


[urls]
/** = authc
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]

Is there something missing in the configuration?

The following message is displayed on the log:

WARN [2018-12-13 12:33:30,771] ({qtp64830413-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"user1","ticket":"64c38479-4241-417b-99c4-1840fd41e5a4","roles":"[]"}}

Many thanks in advance,

Jorge.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Zeppelin user role mapping using Active Directory

Expert Contributor

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

View solution in original post

4 REPLIES 4

Re: Zeppelin user role mapping using Active Directory

Expert Contributor

@Jorge Florencio Group search base is missing, try with below template

========

ldapRealm=org.apache.zeppelin.realm.LdapRealm

ldapRealm.contextFactory.systemUsername =cn=manager,dc=charan,dc=com

ldapRealm.contextFactory.systemPassword =xxxx

ldapRealm.contextFactory.authenticationMechanism=simple

ldapRealm.contextFactory.url=ldap://ldap_url:389

ldapRealm.authorizationEnabled=true

#ldapRealm.pagingSize = 20000

ldapRealm.searchBase=dc=sai,dc=com

ldapRealm.userSearchBase=ou=People,dc=charan,dc=com

ldapRealm.groupSearchBase=cn=admin,ou=Group,dc=charan,dc=com

ldapRealm.userObjectClass=*

ldapRealm.groupObjectClass=groupOfNames

ldapRealm.userSearchAttributeName = uid

ldapRealm.userSearchScope = subtree

ldapRealm.groupSearchScope = subtree

ldapRealm.userSearchFilter= (&(objectclass=*)(uid={0}))

ldapRealm.memberAttribute = member

ldapRealm.memberAttributeValueTemplate={0}

ldapRealm.rolesByGroup = "admin":admin_role

============

Re: Zeppelin user role mapping using Active Directory

Hi @scharan ,

you are using ldapRealm. There's no way to solve the issue using ActiveDirectoryRealm?

Thanks!

Jorge.

Re: Zeppelin user role mapping using Active Directory

Expert Contributor

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

View solution in original post

Re: Zeppelin user role mapping using Active Directory

It worked using LDAP realm.

Thank you!