cat shiro.ini # # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # #[users] #oracle = welcome1, admin # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections # To enable admin user, uncomment the following line and set an appropriate password. #admin = password1, admin #user1 = password2, role1, role2 #user2 = password3, role3 #user3 = password4, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] #authenticator = org.apache.shiro.authc.UsernamePasswordToken #securityManager.authenticator = $authenticator ### A sample for configuring Active Directory Realm #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm #activeDirectoryRealm.systemUsername = userNameA #use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html #activeDirectoryRealm.systemPassword = passwordA #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM #activeDirectoryRealm.url = ldap://ldap.test.com:389 #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" #activeDirectoryRealm.authorizationCachingEnabled = false ### A sample for configuring LDAP Directory Realm ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm ## search base for ldap groups (only relevant for LdapGroupRealm): ldapRealm.contextFactory.environment[ldap.searchBase] = DC=COMPANYMY,DC=COMPANYDomain,DC=com ldapRealm.contextFactory.url = ldap://msbchilddc01.COMPANYmy.COMPANYdomain.com:389 ldapRealm.userDnTemplate = CN={0},ou=LdapService,DC=COMPANYMY,DC=COMPANYDomain,DC=com ldapRealm.contextFactory.authenticationMechanism = simple #securityManager.realms = $ldapRealm ### A sample PAM configuration pamRealm=org.apache.zeppelin.realm.PamRealm pamRealm.service=sss securityManager.realms = $pamRealm,$ldapRealm ### A sample for configuring ZeppelinHub Realm #zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm ## Url of ZeppelinHub #zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com #securityManager.realms = $zeppelinHubRealm ## A same for configuring Knox SSO Realm #knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm #knoxJwtRealm.providerUrl = https://domain.example.com/ #knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html #knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout #knoxJwtRealm.logoutAPI = true #knoxJwtRealm.redirectParam = originalUrl #knoxJwtRealm.cookieName = hadoop-jwt #knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem # #knoxJwtRealm.groupPrincipalMapping = group.principal.mapping #knoxJwtRealm.principalMapping = principal.mapping #authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager ### If caching of user is required then uncomment below lines #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager #securityManager.cacheManager = $cacheManager ### Enables 'HttpOnly' flag in Zeppelin cookies cookie = org.apache.shiro.web.servlet.SimpleCookie cookie.name = JSESSIONID cookie.httpOnly = true ### Uncomment the below line only when Zeppelin is running over HTTPS #cookie.secure = true sessionManager.sessionIdCookie = $cookie securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] role1 = * role2 = * role3 = * admin = * [urls] # This section is used for url-based security. For details see the shiro.ini documentation. # # You can secure interpreter, configuration and credential information by urls. # Comment or uncomment the below urls that you want to hide: # anon means the access is anonymous. # authc means form based auth Security. # # IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request # in the order they are defined and the FIRST MATCH WINS. # # To allow anonymous access to all but the stated urls, # uncomment the line second last line (/** = anon) and comment the last line (/** = authc) # /api/version = anon # Allow all authenticated users to restart interpreters on a notebook page. # Comment out the following line if you would like to authorize only admin users to restart interpreters. /api/interpreter/setting/restart/** = authc /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon /** = authc