Enabling Access Control for Interpreter, Configuration, and Credential Settings
By default, any authenticated account can access Zeppelin interpreter, credential, and configuration settings. When access control is enabled, unauthorized users can see the page heading, but no settings.
Prerequisite: Users and groups must be defined on all Zeppelin nodes and in the associated identity store.
To enable access control for the Zeppelin interpreter, credential, or configuration pages, complete the following steps:
Define a
[roles]
section inshiro.ini
contents, and specify permissions for defined groups.The following example grants all permissions ("
*
") to users in groupadmin
:[roles] admin = *
In the
[urls]
section of theshiro.ini
contents, uncomment the interpreter, configurations, or credential line(s) to enable access to the interpreter, configuration, or credential page(s), respectively. (If the[urls]
section is not defined, add the section. Include the three/api
lines listed in the following example.)The following example specifies access to interpreter, configurations, and credential settings for role "admin":
[urls] /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon /** = authc
To add more roles, separate role identifiers with commas inside the square brackets.
Note: The sequence of lines in the
[urls]
section is important. The/api/version
line must be the first line in the[urls]
section:/api/version = anon
Next, specify the three
/api
lines in any order:/api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin]
The
authc
line must be last in the[urls]
section:/** = authc
Map the roles to LDAP or Active Directory (AD) groups. The following is an example of the
shiro.ini
settings for Active Directory (before pasting this configuration in your Zeppelin configuration, update the Active Directory details to match your actual configuration settings).# Sample LDAP configuration, for Active Directory user Authentication, currently tested for single Realm [main] ldapRealm=org.apache.zeppelin.realm.LdapRealm ldapRealm.contextFactory.systemUsername=cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net ldapRealm.contextFactory.systemPassword=SomePassw0rd ldapRealm.contextFactory.authenticationMechanism=simple ldapRealm.contextFactory.url=ldap://ad.somedomain.net:389 # Ability to set ldap paging Size if needed; default is 100 ldapRealm.pagingSize=200 ldapRealm.authorizationEnabled=true ldapRealm.searchBase=OU=CorpUsers,DC=lab,DC=hortonworks,DC=net ldapRealm.userSearchBase=OU=CorpUsers,DC=lab,DC=hortonworks,DC=net ldapRealm.groupSearchBase=OU=CorpUsers,DC=lab,DC=hortonworks,DC=net ldapRealm.userObjectClass=person ldapRealm.groupObjectClass=group ldapRealm.userSearchAttributeName = sAMAccountName # Set search scopes for user and group. Values: subtree (default), onelevel, object ldapRealm.userSearchScope = subtree ldapRealm.groupSearchScope = subtree ldapRealm.userSearchFilter=(&(objectclass=person)(sAMAccountName={0})) ldapRealm.memberAttribute=member # Format to parse & search group member values in 'memberAttribute' ldapRealm.memberAttributeValueTemplate=CN={0},OU=CorpUsers,DC=lab,DC=hortonworks,DC=net # No need to give userDnTemplate if memberAttributeValueTemplate is provided #ldapRealm.userDnTemplate= # Map from physical AD groups to logical application roles ldapRealm.rolesByGroup = "hadoop-admins":admin_role,"hadoop-users":hadoop_users_role # Force usernames returned from ldap to lowercase, useful for AD ldapRealm.userLowerCase = true # Enable support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator ldapRealm.groupSearchEnableMatchingRuleInChain = true sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager ### If caching of user is required then uncomment below lines cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager securityManager.realms = $ldapRealm # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [urls] # This section is used for url-based security. # You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. # anon means the access is anonymous. # authc means Form based Auth Security # To enfore security, comment the line below and uncomment the next one #/api/version = anon /api/interpreter/** = authc, roles[admin_role,hadoop_users_role] /api/configurations/** = authc, roles[admin_role] /api/credential/** = authc, roles[admin_role,hadoop_users_role] #/** = anon /** = authc
Additional information:
ldapRealm.rolesByGroup = "hadoop-admins":admin_role,"hadoop-users":hadoop_users_role
This line maps the AD groups "hadoop-admins" and "hadoop-users" to custom roles which can be used in the [urls] section to control access to various Zeppelin users. Note that the short group names are to be used rather than fully qualified names such as "cn=hadoop-admins,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net". The role names can be set to any name but the names should match those used in the [urls] section.
ldapRealm.groupSearchEnableMatchingRuleInChain = true
A very powerful option to search all of the groups that a given user is member of in a single query. An LDAP search query with this option traverses the LDAP group hierarchy and finds all of the groups. This is especially useful for nested groups. More information can be found here. Caution: this option can cause performance overhead (slow to log in, etc.) if the LDAP hierarchy is not optimally configured.
ldapRealm.userSearchFilter=(&(objectclass=person)(sAMAccountName={0}))
Use this search filter to limit the scope of user results when looking for a user's Distinguished Name (DN). This is used only if
userSearchBase
anduserSearchAttributeName
are defined. If these two are not defined,userDnTemplate
is used to look for a user's DN.
When unauthorized users attempt to access the interpreter, configurations, or credential page, they see the page heading, but not the settings.