Enabling Access Control for Interpreter, Configuration, and Credential Settings
By default, any authenticated account can access Zeppelin interpreter, credential, and configuration settings. When access control is enabled, unauthorized users can see the page heading, but no settings. There are two steps: defining roles, and specifying which roles have access to which settings.
Prerequisite: Users and groups must be defined on all Zeppelin nodes and in the associated identity store.
To enable access control for the Zeppelin interpreter, credential, or configuration pages, complete the following steps:
Define a
[roles]section inshiro.inicontents, and specify permissions for defined groups.The following example grants all permissions ("
*") to users in groupadmin:[roles] admin = *
In the
[urls]section of theshiro.inicontents, uncomment the interpreter, configurations, or credential line(s) to enable access to the interpreter, configuration, or credential page(s), respectively. (If the[urls]section is not defined, add the section. Include the three/apilines listed in the following example.)The following example specifies access to interpreter, configurations, and credential settings for role "admin":
[urls] /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon /** = authc
To add more roles, separate role identifiers with commas inside the square brackets.
Note: The sequence of lines in the
[urls]section is important. The/api/versionline must be the first line in the[urls]section:/api/version = anon
Next, specify the three
/apilines in any order:/api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin]
The
authcline must be last in the[urls]section:/** = authc
When unauthorized users attempt to access the interpreter, configurations, or credential page, they see the page heading but not settings.