Enable Access Control for Interpreter, Configuration, and Credential Settings

This section describes how to restrict access to Apache Zeppelin interpreter, credential, and configuration settings.

By default, any authenticated account can access the Zeppelin interpreter, credential, and configuration settings. When access control is enabled, unauthorized users can see the page heading, but not the settings.
Users and groups must be defined on all Zeppelin nodes and in the associated identity store.
  1. Define a [roles] section in shiro.ini contents, and specify permissions for defined groups. The following example grants all permissions ("*") to users in group admin:
    [roles]
    admin = *
  2. In the [urls] section of the shiro.ini contents, uncomment the interpreter, configurations, or credential line(s) to enable access to the interpreter, configuration, or credential page(s), respectively. (If the [urls] section is not defined, add the section. Include the three /api lines listed in the following example.)
    The following example specifies access to interpreter, configurations, and credential settings for role "admin":
    [urls]
    /api/version = anon
    /api/interpreter/** = authc, roles[admin]
    /api/configurations/** = authc, roles[admin]
    /api/credential/** = authc, roles[admin]
    #/** = anon
    /** = authc

    To add more roles, separate role identifiers with commas inside the square brackets.

    Note: The sequence of lines in the [urls] section is important. The /api/version line must be the first line in the [urls] section:

    /api/version = anon 

    Next, specify the three /api lines in any order:

    /api/interpreter/** = authc, roles[admin]
    /api/configurations/** = authc, roles[admin]
    /api/credential/** = authc, roles[admin]

    The authc line must be last in the [urls] section:

    /** = authc
  3. Map the roles to LDAP or Active Directory (AD) groups. The following is an example of the shiro.ini settings for Active Directory (before pasting this configuration in your Zeppelin configuration, update the Active Directory details to match your actual configuration settings).
    # Sample LDAP configuration, for Active Directory user Authentication, currently tested for single Realm
    [main]
    ldapRealm=org.apache.zeppelin.realm.LdapRealm
    ldapRealm.contextFactory.systemUsername=cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net
    ldapRealm.contextFactory.systemPassword=SomePassw0rd
    ldapRealm.contextFactory.authenticationMechanism=simple
    ldapRealm.contextFactory.url=ldap://ad.somedomain.net:389
    # Ability to set ldap paging Size if needed; default is 100
    ldapRealm.pagingSize=200
    ldapRealm.authorizationEnabled=true
    ldapRealm.searchBase=OU=CorpUsers,DC=lab,DC=hortonworks,DC=net
    ldapRealm.userSearchBase=OU=CorpUsers,DC=lab,DC=hortonworks,DC=net
    ldapRealm.groupSearchBase=OU=CorpUsers,DC=lab,DC=hortonworks,DC=net
    ldapRealm.userObjectClass=person
    ldapRealm.groupObjectClass=group
    ldapRealm.userSearchAttributeName = sAMAccountName
    # Set search scopes for user and group. Values: subtree (default), onelevel, object
    ldapRealm.userSearchScope = subtree
    ldapRealm.groupSearchScope = subtree
    ldapRealm.userSearchFilter=(&(objectclass=person)(sAMAccountName={0}))
    ldapRealm.memberAttribute=member
    # Format to parse & search group member values in 'memberAttribute'
    ldapRealm.memberAttributeValueTemplate=CN={0},OU=CorpUsers,DC=lab,DC=hortonworks,DC=net
    # No need to give userDnTemplate if memberAttributeValueTemplate is provided
    #ldapRealm.userDnTemplate=
    # Map from physical AD groups to logical application roles
    ldapRealm.rolesByGroup = "hadoop-admins":admin_role,"hadoop-users":hadoop_users_role
    # Force usernames returned from ldap to lowercase, useful for AD
    ldapRealm.userLowerCase = true
     
    # Enable support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator
    ldapRealm.groupSearchEnableMatchingRuleInChain = true
    
    sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
    ### If caching of user is required then uncomment below lines
    cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
    securityManager.cacheManager = $cacheManager 
     
    securityManager.sessionManager = $sessionManager
    securityManager.realms = $ldapRealm
    # 86,400,000 milliseconds = 24 hour
    securityManager.sessionManager.globalSessionTimeout = 86400000
    shiro.loginUrl = /api/login
     
    [urls]
    # This section is used for url-based security.
    # You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
    # anon means the access is anonymous.
    # authc means Form based Auth Security
    # To enfore security, comment the line below and uncomment the next one
    #/api/version = anon
    /api/interpreter/** = authc, roles[admin_role,hadoop_users_role]
    /api/configurations/** = authc, roles[admin_role]
    /api/credential/** = authc, roles[admin_role,hadoop_users_role]
    #/** = anon
    /** = authc

    Additional information:

    • ldapRealm.rolesByGroup = "hadoop-admins":admin_role,"hadoop-users":hadoop_users_role

      This line maps the AD groups "hadoop-admins" and "hadoop-users" to custom roles which can be used in the [urls] section to control access to various Zeppelin users. Note that the short group names are to be used rather than fully qualified names such as "cn=hadoop-admins,OU=CorpUsers,DC=lab,DC=hortonworks,DC=net". The role names can be set to any name but the names should match those used in the [urls] section.

    • ldapRealm.groupSearchEnableMatchingRuleInChain = true

      A very powerful option to search all of the groups that a given user is member of in a single query. An LDAP search query with this option traverses the LDAP group hierarchy and finds all of the groups. This is especially useful for nested groups. More information can be found here. Caution: this option can cause performance overhead (slow to log in, etc.) if the LDAP hierarchy is not optimally configured.

    • ldapRealm.userSearchFilter=(&(objectclass=person)(sAMAccountName={0}))

      Use this search filter to limit the scope of user results when looking for a user's Distinguished Name (DN). This is used only if userSearchBase and userSearchAttributeName are defined. If these two are not defined, userDnTemplate is used to look for a user's DN.

  4. When unauthorized users attempt to access the interpreter, configurations, or credential page, they can see the page heading, but not the settings.