Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

zeppelin users roles

Solved Go to solution
Highlighted

zeppelin users roles

New Contributor

Hello guys

I have zeppelin component in the HDP and configured shiro for active directory auth(LdapRealm)

I also have set uesr search filter by group(only specified groups can login in the zeppelin web interface) and have created 2 roles: admins and users, but I think the roles does not works at all

roles configuration I have in the shiro.ini like that:

[roles]
admin = *
users = *:ToDoItemsJdo:*:*,*:ToDoItem:*:*

goal is that I do not want users to access some configurations in the zeppelin for example restrict access interpreter configs

I have url config too:

[urls]
/** = authc
**/interpreter/** = authc, roles[admin]
**/configuration/** = authc, roles[admin]

but this does not works either, all loged in users have access to everything :/

in the [main] section:

ldapRealm.rolesByGroup = "Admins":admin,"Users":users

user search by group works, only this 2 group members can login("Admins" and "Users" in the ActiveDirectory)

Any ideas?

P.S. here is version numbers: Installed Packages Name : zeppelin_2_6_1_0_129 Arch : noarch Version : 0.7.0.2.6.1.0

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions

Re: zeppelin users roles

@Shota Akhalaia Can you try once to configure [urls] section as mentioned in this example document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-... ?

I am just wondering whether order of this line matters in shiro.ini : /** = authc ?

6 REPLIES 6

Re: zeppelin users roles

@Shota Akhalaia Can you try once to configure [urls] section as mentioned in this example document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-... ?

I am just wondering whether order of this line matters in shiro.ini : /** = authc ?

Re: zeppelin users roles

New Contributor

Thank you for reply

ok here is my new config for urls:

[urls]
/** = authc
/api/interpreter/** = authc, roles[admin]
/api/configuration/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon

but everyone has access to everything anyway

does [urls] and [roles] sections works for LdapRealm?

Re: zeppelin users roles

@Shota Akhalaia My guess is that when you have /** = authc before /api/interpreter/** = authc, roles[admin]

the authorization that you give to 'admin' users only for /api/interpreter/** is getting overridden by /** = authc which basically allows all apis to be accessible to all roles.

I tried it on my instance, and ordering /** = authc as the first line really makes interpreters page accessible to all the users. Whereas making it as the last line makes it accessible only to the 'admin' users. The linked document also suggests to make it as the last line

So please try this and let me know if it works

[urls]
/api/interpreter/** = authc, roles[admin]
/api/configuration/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc
#/** = anon

Re: zeppelin users roles

New Contributor

place /** = authc in the end of [urls] section makes sense, also I made little changes in the ldapRealm.rolesByGroup(before it was incorrect syntax) and now everything is working properly

place urls by correct order was a key, thank you very much

Re: zeppelin users roles

Thank you for letting me know and accepting the answer :-)

Re: zeppelin users roles

New Contributor

P.S. also there is some warnings in the /var/log/zeppelin/zeppelin-zeppelin-zeppelin.node.log

 WARN [2017-09-22 16:29:38,301] ({qtp760563749-56} JAXRSUtils.java[findTargetMethod]:499) - No operation matching request path "/api/login" is found, Relative Path: /, HTTP Method: GET, ContentType: */*, Accept: application/json,text/plain,*/*,. Please enable FINE/TRACE log level for more details.
 WARN [2017-09-22 16:29:38,302] ({qtp760563749-56} WebApplicationExceptionMapper.java[toResponse]:73) - javax.ws.rs.ClientErrorException
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:218)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXR

etc ... -----------------------------

WARN [2017-09-22 16:29:47,865] ({qtp760563749-26} JAXRSUtils.java[findTargetMethod]:499) - No operation matching request path "/api/login;JSESSIONID=a26c09a0-e86d-4e56-97ae-ac3e8d45a057" is found, Relative Path: /, HTTP Method: GET, ContentType: */*, Accept: application/json,text/plain,*/*,. Please enable FINE/TRACE log level for more details.
 WARN [2017-09-22 16:29:47,866] ({qtp760563749-26} WebApplicationExceptionMapper.java[toResponse]:73) - javax.ws.rs.ClientErrorException
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:218)

etc... -----------------------------

warnings occurs when user logins in the zeppelin UI

maybe something wrong with path which starts with "api"?

where is the path configs for zeppelin?

Don't have an account?
Coming from Hortonworks? Activate your account here