Hi, I am using HDP 2.3.0 with Zeppelin 0.6.0. I configured LDAP/AD for users and groups. I can successfully login as AD user, but when I create role for my AD group in shiro.ini, then set permissions to the notebook only to this AD group I cannot be authorized (no roles (groups) binded to my user). Please check my configs below. ZeppelinUser10 belongs to both AD groups - ZeppelinGroup1 and ZeppelinGroup2 shiro.ini [main] ### A sample for configuring Active Directory Realm activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = CN=ZeppelinUser1,OU=Users,OU=Zeppelin,DC=MYAD,DC=COM activeDirectoryRealm.systemPassword = mypass activeDirectoryRealm.searchBase = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM activeDirectoryRealm.url = ldap://myldap.com:389 activeDirectoryRealm.groupRolesMap = "CN=ZeppelinGroup1,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup1","CN=ZeppelinGroup2,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup2" activeDirectoryRealm.authorizationCachingEnabled = true ### A sample for configuring LDAP Directory Realm ldapRealm = org.apache.zeppelin.server.LdapGroupRealm ## search base for ldap groups (only relevant for LdapGroupRealm): ldapRealm.contextFactory.environment[ldap.searchBase] = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM ldapRealm.contextFactory.url = ldap://myldap.com:389 ldapRealm.userDnTemCOMate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD,DC=COM ldapRealm.contextFactory.authenticationMechanism = SIMPLE sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager ### If caching of user is required then uncomment below lines #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager #securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] role1 = * role2 = * role3 = * ZeppelinGroup1 = * ZeppelinGroup2 = * log ERROR [2016-09-05 15:07:02,069] ({qtp1029098726-16} LdapGroupRealm.java[getRoleNamesForUser]:89) - Error javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'OU=Users,OU=Zeppelin,DC=MYAD,DC=COM' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) at org.apache.zeppelin.server.LdapGroupRealm.getRoleNamesForUser(LdapGroupRealm.java:67) at org.apache.zeppelin.server.LdapGroupRealm.queryForAuthorizationInfo(LdapGroupRealm.java:50) at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthorizationInfo(JndiLdapRealm.java:313) at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341) at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:571) at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374) at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153) at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224) at org.apache.zeppelin.utils.SecurityUtils.getRoles(SecurityUtils.java:113) at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:78) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192) at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100) at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) WARN [2016-09-05 15:07:02,076] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}} ... View more

Hi all! I can confirm that Zeppelin LDAP authentication works with HDP stack version 2.3.0. The only problem is that when I use LdapGroupRealm with ldapRealm.contextFactory.environment set to OU with groups only, I can access to Zeppelin as users from any other OU and these users are not a members of any group. When I use JndiLdapRealm I have access as users only from OU set in userDnTemplate, which is ok. Below my shiro.ini config for the first situation which I described ### A sample for configuring LDAP Directory Realm ldapRealm = org.apache.zeppelin.server.LdapGroupRealm #ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm ## search base for ldap groups (only relevant for LdapGroupRealm): ldapRealm.contextFactory.environment[ldap.searchBase] = cn={0},OU=Groups,OU=Zeppelin,DC=MYAD1,DC=COM ldapRealm.contextFactory.url = ldap://192.168.1.100:389 ldapRealm.contextFactory.authenticationMechanism = SIMPLE #ldapRealm.userDnTemplate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD1,DC=COM My question is: does default shiro realm (LdapGroupRealm or JndiLdapRealm) support filtering? I would like to filter users to authenticate. Perfectly would be if I could authenticate users by groups they belong to. Should I use external .jar? I use Zeppelin 0.6.0 with HDP stack 2.3.0. ... View more

Hi, My cluster is not Kerberized. I am using HDP 2.3.0 with Ambari 2.1.1. I updated Spark to 1.6.0 (from HDP 2.4 stack) and installed Zeppelin from this tutorial. I have a problem with authentication. When I set zeppelin.anonymous.allowed to false in Ambari, and restart Zeppelin I can still access Zeppelin without providing credentials. Also I want to configure authentication via Active Directory but I can't find shiro.ini file. Zeppelin is installed in /opt/zeppelin. My questions are: 1. Is AD or any authentication method supported for Zeppelin for components versions in my case? 2. Is AD authentication supported in HDP 2.3.2? 3. Does Zeppelin works with Spark version 1.3.1? 4. Why I can't see shiro.ini in conf directory? Whats strange: In Ambari -> Add services I see Zeppelin Notebook in version 0.0.10 Thank you in advance! ... View more