Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

zeppelin users roles

avatar
Contributor

Hello guys

I have zeppelin component in the HDP and configured shiro for active directory auth(LdapRealm)

I also have set uesr search filter by group(only specified groups can login in the zeppelin web interface) and have created 2 roles: admins and users, but I think the roles does not works at all

roles configuration I have in the shiro.ini like that:

[roles]
admin = *
users = *:ToDoItemsJdo:*:*,*:ToDoItem:*:*

goal is that I do not want users to access some configurations in the zeppelin for example restrict access interpreter configs

I have url config too:

[urls]
/** = authc
**/interpreter/** = authc, roles[admin]
**/configuration/** = authc, roles[admin]

but this does not works either, all loged in users have access to everything 😕

in the [main] section:

ldapRealm.rolesByGroup = "Admins":admin,"Users":users

user search by group works, only this 2 group members can login("Admins" and "Users" in the ActiveDirectory)

Any ideas?

P.S. here is version numbers: Installed Packages Name : zeppelin_2_6_1_0_129 Arch : noarch Version : 0.7.0.2.6.1.0

Thank you

1 ACCEPTED SOLUTION

avatar

@Shota Akhalaia Can you try once to configure [urls] section as mentioned in this example document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-... ?

I am just wondering whether order of this line matters in shiro.ini : /** = authc ?

View solution in original post

6 REPLIES 6

avatar

@Shota Akhalaia Can you try once to configure [urls] section as mentioned in this example document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-... ?

I am just wondering whether order of this line matters in shiro.ini : /** = authc ?

avatar
Contributor

Thank you for reply

ok here is my new config for urls:

[urls]
/** = authc
/api/interpreter/** = authc, roles[admin]
/api/configuration/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon

but everyone has access to everything anyway

does [urls] and [roles] sections works for LdapRealm?

avatar

@Shota Akhalaia My guess is that when you have /** = authc before /api/interpreter/** = authc, roles[admin]

the authorization that you give to 'admin' users only for /api/interpreter/** is getting overridden by /** = authc which basically allows all apis to be accessible to all roles.

I tried it on my instance, and ordering /** = authc as the first line really makes interpreters page accessible to all the users. Whereas making it as the last line makes it accessible only to the 'admin' users. The linked document also suggests to make it as the last line

So please try this and let me know if it works

[urls]
/api/interpreter/** = authc, roles[admin]
/api/configuration/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc
#/** = anon

avatar
Contributor

place /** = authc in the end of [urls] section makes sense, also I made little changes in the ldapRealm.rolesByGroup(before it was incorrect syntax) and now everything is working properly

place urls by correct order was a key, thank you very much

avatar

Thank you for letting me know and accepting the answer 🙂

avatar
Contributor

P.S. also there is some warnings in the /var/log/zeppelin/zeppelin-zeppelin-zeppelin.node.log

 WARN [2017-09-22 16:29:38,301] ({qtp760563749-56} JAXRSUtils.java[findTargetMethod]:499) - No operation matching request path "/api/login" is found, Relative Path: /, HTTP Method: GET, ContentType: */*, Accept: application/json,text/plain,*/*,. Please enable FINE/TRACE log level for more details.
 WARN [2017-09-22 16:29:38,302] ({qtp760563749-56} WebApplicationExceptionMapper.java[toResponse]:73) - javax.ws.rs.ClientErrorException
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:218)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXR

etc ... -----------------------------

WARN [2017-09-22 16:29:47,865] ({qtp760563749-26} JAXRSUtils.java[findTargetMethod]:499) - No operation matching request path "/api/login;JSESSIONID=a26c09a0-e86d-4e56-97ae-ac3e8d45a057" is found, Relative Path: /, HTTP Method: GET, ContentType: */*, Accept: application/json,text/plain,*/*,. Please enable FINE/TRACE log level for more details.
 WARN [2017-09-22 16:29:47,866] ({qtp760563749-26} WebApplicationExceptionMapper.java[toResponse]:73) - javax.ws.rs.ClientErrorException
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:218)

etc... -----------------------------

warnings occurs when user logins in the zeppelin UI

maybe something wrong with path which starts with "api"?

where is the path configs for zeppelin?