Member since
02-03-2017
4
Posts
2
Kudos Received
0
Solutions
02-08-2017
01:14 PM
Hello Sharan,
I have the same problem as you. Have you found the way to limit access to specific users/groups?
Kind regards,
Michał
... View more
02-08-2017
01:11 PM
2 Kudos
Dears,
I'm trying to configure shiro to authenticate users from AD and to limit
access to login to webui for specific group. Here's my shiro.ini config: activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = someuser
activeDirectoryRealm.systemPassword = somepassword
activeDirectoryRealm.searchBase = "OU=x,OU=y,OU=z,DC=,DC=x,DC=x"
activeDirectoryRealm.url = ldaps://ldap.domain.com:636
activeDirectoryRealm.groupRolesMap = "CN=HADOOP_GROUP,OU=x,OU=y,OU=z,OU=x,DC=x,DC=x,DC=x":"role1"
activeDirectoryRealm.authorizationCachingEnabled = false
[roles]
role1 = *
/api/version = anon
#/** = anon
/** = authc Currently, authentication works for every user who is in search base, so
everyone from search base can login.
What I want to achieve is to limit access to specific group so only user which has this group can log in. For testing purposes I created two users. First belongs to group which is listed in groupRolesMap where role1 = * is applied, and the second user belongs to another group, which is not listed in shiro.ini. The problem is that both users can log in, because these users are in the same search base.
Is there any way to limit such access? What am I missing?
I'll appreciate your help.
Kind regards,
... View more
Labels:
- Labels:
-
Apache Zeppelin
02-03-2017
04:47 PM
Dears,
I'm trying to configure shiro to authenticate users from AD and to limit
access to login to webui for specific group. Here's my shiro.ini config: activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = user
activeDirectoryRealm.systemPassword = password
activeDirectoryRealm.searchBase = "OU=x,OU=x,OU=x,DC=x,DC=x,DC=x"
activeDirectoryRealm.url = ldaps://ldap.domain.com:636
activeDirectoryRealm.groupRolesMap = "CN=HADOOP_GROUP,OU=x,OU=x,OU=
x,OU=x,DC=x,DC=x,DC=x":"role1"
activeDirectoryRealm.authorizationCachingEnabled = false
[roles]
role1 = *
/api/version = anon
/** = authc
Currently, authentication works for every user who is in search base, so
everyone from search base can login. To limit access, I would like to have
authorization based on specified group, so only users from HADOOP_GROUP can log in, like above in groupRolesMap, but it's not working as I expected.
What am I missing?
I'll appreciate your help.
Kind regards,
Michał
... View more
02-03-2017
02:27 PM
Hello, Did you figured out the solution? I'm working on similar configuration since couple weeks and I'm still getting error: %livy.spark
sc.version
Cannot start spark. I have debug enabled on livy but don't see any specific error. In zeppelin-interpreter-livy log I see: ERROR [2017-02-03 15:07:47,491] ({pool-2-thread-7} LivyHelper.java[createSession]:128) - Error getting session for user
java.lang.Exception: Cannot start spark. What's interesting, I see spark job created in yarn history with my user over livy-session with the status finished/suceeded most of the time, so from that side it looks correct. Unfortunatelly, still no result in zeppelin notebook. I will really appreciate any suggestions from those who succeeded:)
Kind regards,
Michał
... View more