Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Zeppelin user role mapping using Active Directory

Hi,

Active Directory users can successfully login to Zeppelin but roles are not mapped to the users.

Here is the shiro.ini configuration:

[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://domain.com:389
adRealm.searchBase = DC=domain,DC=com
adRealm.groupRolesMap = "CN=admins,OU=HWX,DC=domain,DC=com":"admin","CN=users,OU=HWX,DC=domain,DC=com":"users"
adRealm.systemUsername = hwx@DOMAIN.COM
adRealm.systemPassword = XXXXXX
adRealm.principalSuffix = @DOMAIN.COM
adRealm.authorizationCachingEnabled = false
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $adRealm
shiro.loginUrl = /api/login


[roles]
admin = *
users = *


[urls]
/** = authc
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]

Is there something missing in the configuration?

The following message is displayed on the log:

WARN [2018-12-13 12:33:30,771] ({qtp64830413-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"user1","ticket":"64c38479-4241-417b-99c4-1840fd41e5a4","roles":"[]"}}

Many thanks in advance,

Jorge.

1 ACCEPTED SOLUTION

Super Collaborator

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

View solution in original post

4 REPLIES 4

Super Collaborator

@Jorge Florencio Group search base is missing, try with below template

========

ldapRealm=org.apache.zeppelin.realm.LdapRealm

ldapRealm.contextFactory.systemUsername =cn=manager,dc=charan,dc=com

ldapRealm.contextFactory.systemPassword =xxxx

ldapRealm.contextFactory.authenticationMechanism=simple

ldapRealm.contextFactory.url=ldap://ldap_url:389

ldapRealm.authorizationEnabled=true

#ldapRealm.pagingSize = 20000

ldapRealm.searchBase=dc=sai,dc=com

ldapRealm.userSearchBase=ou=People,dc=charan,dc=com

ldapRealm.groupSearchBase=cn=admin,ou=Group,dc=charan,dc=com

ldapRealm.userObjectClass=*

ldapRealm.groupObjectClass=groupOfNames

ldapRealm.userSearchAttributeName = uid

ldapRealm.userSearchScope = subtree

ldapRealm.groupSearchScope = subtree

ldapRealm.userSearchFilter= (&(objectclass=*)(uid={0}))

ldapRealm.memberAttribute = member

ldapRealm.memberAttributeValueTemplate={0}

ldapRealm.rolesByGroup = "admin":admin_role

============

Hi @scharan ,

you are using ldapRealm. There's no way to solve the issue using ActiveDirectoryRealm?

Thanks!

Jorge.

Super Collaborator

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

It worked using LDAP realm.

Thank you!