it can be any, username or role, and inside of "[]" it accepts CSV. So, you can typically give /api/interpreter/** = authc, roles[adminUser, adminRole, managerRole] etc. ... View more

This issue is reported in jira ticket https://issues.apache.org/jira/browse/ZEPPELIN-2810 and https://issues.apache.org/jira/browse/ZEPPELIN-2640 and some developer sent a PR for this https://github.com/apache/zeppelin/pull/2405 this issue will be fixed in zeppelin v0.8.0 but not released now how about wait for next release or build it yourself? or use ldapRealm? ... View more

Hi, I am trying to restrict a specific group of ActiveDirectory users to access zeppelin. My shiro looks something like below, can you please suggest where i have to add the group name or make the changes so that the group of users are not able to login to zeppelin. [users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections #admin = password1 #user1 = password2, role1, role2 #user2 = password3, role3 #user3 = password4, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net activeDirectoryRealm.systemPassword = badPassword #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/conf/zeppelin.jceks activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net activeDirectoryRealm.url = ldap://ad.example.net:389 activeDirectoryRealm.groupRolesMap = "cn=ldap-admin,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net":"admin" activeDirectoryRealm.authorizationCachingEnabled =false sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.realms = $activeDirectoryRealm # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout =86400000 shiro.loginUrl =/api/login [urls] # anon means the access is anonymous. # authcBasic means Basic Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon #/** = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] /** = authc Please suggest, Thanks ... View more

@Edgar Daeds I do not recommend using Zeppelin LDAP+AD (0.6.0) on stack less then 2.4.x. Can it be done..I can't say for sure. Your path may be riddled with trouble. Do it with 2.4.x. ... View more

Is this fixed in HDP2.5? Knox 0.9.0 I mean is there a possibility in the new version to filter AD groups? I have over 1000 groups in AD and when Knox tries to authenticate me, AD returns an error "Size limit exceeded". ... View more

It is a fresh installation with one additional Ranger Admin installed and configured with nginx to redirect to the working one. ... View more

I found the solution. If anyone else is facing the same problem, review this link and use @bsaini topology. Thanks! ... View more