shiro.ini : Zeppelin interpreter authorization: lock to one user

[Vartul Gupta <va...@microsoft.com.INVALID>]

Hi Team,

I am trying to setup authentication and authorization for Zeppelin using Shiro file.
Now my question is How we can set Zeppelin interpreter settings to be restricted to a particular AD admin user.

Here is the sample of my shiro file .

[main]
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = adminuser1
activeDirectoryRealm.systemPassword = ^^^^^^
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks
activeDirectoryRealm.searchBase = "OU=AADDC Users,DC=team2testdomain,DC=testabc ,DC=com"
activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636
activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM
activeDirectoryRealm.groupRolesMap = "OU=AADDC Users,DC=team2testdomain,DC= testabc,DC=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = true
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
#/** = anon
/** = authc

Thanks
Vartul

Re: shiro.ini : Zeppelin interpreter authorization: lock to one user

[Vinay Shukla <vi...@gmail.com>]

Arun,

Can you try the following

1. Enable Zeppelin authentication via shiro if not already.

2. In shiro.ini specify the role that should have access to interpreter
settings page. Example below

[urls]
/api/interpreter/** = authc, roles[admin]

/api/configurations/** = authc, roles[admin]

/api/credential/** = authc, roles[admin]

3. Map the specific role to LDAP/AD group in shiro.ini [main] section,
Example below

activeDirectoryRealm.groupRolesMap =
"CN=hdpdv_admin,DC=hdpqa,DC=example,DC=com":"admin”

4. Restart Zeppelin.

Let the group know how this works for you.

Also as Moon mentioned we want to add more access control to Zeppelin and
make it easier to configure.

Thanks,
Vinay


On Wed, Apr 12, 2017 at 6:48 PM, Arun Khetarpal <ak...@gmail.com> wrote:

> Hi -
>
> I think the ask is that currently it seems that activeDirectoryGroupRealm
> maps each active directory group to a shiro role. Later we can authorize
> urls with roles in our urls section of shiro file.
>
> Our problem is that we don't really have an admin group handy in our AD -
> due to which there is a bit of a problem in setting the correct
> authorization of some urls. We were able to play around with
> ActiveDirectoryGroupRealm and modify in such a way that an internal role is
> created for systemUser and then authorize urls for him based on the
> internal role.
>
> Later we placed this modified ActiveDirectoryGroupRealm in Class path and
> everything works as expected. So my question is -
>
> a. Is there a better way provided by zeppelin for users to provide their
> own implementation of ActiveDirectoryGroupRealm ?
> b. Is the community interested in modifying ActiveDirectoryGroupRealm with
> our tweaks ?
>
>
> Regards,
> Arun
>
>
>
>
> On 12 April 2017 at 15:55, Vartul Gupta <va...@microsoft.com.invalid>
> wrote:
>
> > Hi Team,
> >
> > I am trying to setup authentication and authorization for Zeppelin using
> > Shiro file.
> > Now my question is How we can set Zeppelin interpreter settings to be
> > restricted to a particular AD admin user.
> >
> > Here is the sample of my shiro file .
> >
> > [main]
> > activeDirectoryRealm = org.apache.zeppelin.realm.
> ActiveDirectoryGroupRealm
> > activeDirectoryRealm.systemUsername = adminuser1
> > activeDirectoryRealm.systemPassword = ^^^^^^
> > #activeDirectoryRealm.hadoopSecurityCredentialPath =
> > jceks://user/zeppelin/zeppelin.jceks
> > activeDirectoryRealm.searchBase = "OU=AADDC Users,DC=team2testdomain,DC=
> testabc
> > ,DC=com"
> > activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636
> > activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM
> > activeDirectoryRealm.groupRolesMap = "OU=AADDC
> > Users,DC=team2testdomain,DC= testabc,DC=com":"admin"
> > activeDirectoryRealm.authorizationCachingEnabled = true
> > sessionManager = org.apache.shiro.web.session.
> mgt.DefaultWebSessionManager
> > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> > securityManager.cacheManager = $cacheManager
> > securityManager.sessionManager = $sessionManager
> > # 86,400,000 milliseconds = 24 hour
> > securityManager.sessionManager.globalSessionTimeout = 86400000
> > shiro.loginUrl = /api/login
> >
> > [urls]
> > # anon means the access is anonymous.
> > # authcBasic means Basic Auth Security
> > # To enfore security, comment the line below and uncomment the next one
> > #/** = anon
> > /** = authc
> >
> > Thanks
> > Vartul
> >
>

Re: shiro.ini : Zeppelin interpreter authorization: lock to one user

[moon soo Lee <mo...@apache.org>]

Hi,

https://issues.apache.org/jira/browse/ZEPPELIN-2236 tracks restricting
interpreter setting to admin group. And we're trying to solve this problem
in 0.8.0 [1]. Please keep an eye on this issue and feel free to make any
contributions.

Thanks,
moon

[1]
https://lists.apache.org/thread.html/f4be5635e6e72d2a9dc23771ceeaef8a8e5933bfb14db7cab303bc22@%3Cdev.zeppelin.apache.org%3E


On Wed, Apr 12, 2017 at 6:48 PM Arun Khetarpal <ak...@gmail.com> wrote:

> Hi -
>
> I think the ask is that currently it seems that activeDirectoryGroupRealm
> maps each active directory group to a shiro role. Later we can authorize
> urls with roles in our urls section of shiro file.
>
> Our problem is that we don't really have an admin group handy in our AD -
> due to which there is a bit of a problem in setting the correct
> authorization of some urls. We were able to play around with
> ActiveDirectoryGroupRealm and modify in such a way that an internal role is
> created for systemUser and then authorize urls for him based on the
> internal role.
>
> Later we placed this modified ActiveDirectoryGroupRealm in Class path and
> everything works as expected. So my question is -
>
> a. Is there a better way provided by zeppelin for users to provide their
> own implementation of ActiveDirectoryGroupRealm ?
> b. Is the community interested in modifying ActiveDirectoryGroupRealm with
> our tweaks ?
>
>
> Regards,
> Arun
>
>
>
>
> On 12 April 2017 at 15:55, Vartul Gupta <va...@microsoft.com.invalid>
> wrote:
>
> > Hi Team,
> >
> > I am trying to setup authentication and authorization for Zeppelin using
> > Shiro file.
> > Now my question is How we can set Zeppelin interpreter settings to be
> > restricted to a particular AD admin user.
> >
> > Here is the sample of my shiro file .
> >
> > [main]
> > activeDirectoryRealm =
> org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
> > activeDirectoryRealm.systemUsername = adminuser1
> > activeDirectoryRealm.systemPassword = ^^^^^^
> > #activeDirectoryRealm.hadoopSecurityCredentialPath =
> > jceks://user/zeppelin/zeppelin.jceks
> > activeDirectoryRealm.searchBase = "OU=AADDC
> Users,DC=team2testdomain,DC=testabc
> > ,DC=com"
> > activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636
> > activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM
> > activeDirectoryRealm.groupRolesMap = "OU=AADDC
> > Users,DC=team2testdomain,DC= testabc,DC=com":"admin"
> > activeDirectoryRealm.authorizationCachingEnabled = true
> > sessionManager =
> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> > securityManager.cacheManager = $cacheManager
> > securityManager.sessionManager = $sessionManager
> > # 86,400,000 milliseconds = 24 hour
> > securityManager.sessionManager.globalSessionTimeout = 86400000
> > shiro.loginUrl = /api/login
> >
> > [urls]
> > # anon means the access is anonymous.
> > # authcBasic means Basic Auth Security
> > # To enfore security, comment the line below and uncomment the next one
> > #/** = anon
> > /** = authc
> >
> > Thanks
> > Vartul
> >
>

Re: shiro.ini : Zeppelin interpreter authorization: lock to one user

[Arun Khetarpal <ak...@gmail.com>]

Hi -

I think the ask is that currently it seems that activeDirectoryGroupRealm
maps each active directory group to a shiro role. Later we can authorize
urls with roles in our urls section of shiro file.

Our problem is that we don't really have an admin group handy in our AD -
due to which there is a bit of a problem in setting the correct
authorization of some urls. We were able to play around with
ActiveDirectoryGroupRealm and modify in such a way that an internal role is
created for systemUser and then authorize urls for him based on the
internal role.

Later we placed this modified ActiveDirectoryGroupRealm in Class path and
everything works as expected. So my question is -

a. Is there a better way provided by zeppelin for users to provide their
own implementation of ActiveDirectoryGroupRealm ?
b. Is the community interested in modifying ActiveDirectoryGroupRealm with
our tweaks ?


Regards,
Arun




On 12 April 2017 at 15:55, Vartul Gupta <va...@microsoft.com.invalid>
wrote:

> Hi Team,
>
> I am trying to setup authentication and authorization for Zeppelin using
> Shiro file.
> Now my question is How we can set Zeppelin interpreter settings to be
> restricted to a particular AD admin user.
>
> Here is the sample of my shiro file .
>
> [main]
> activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = adminuser1
> activeDirectoryRealm.systemPassword = ^^^^^^
> #activeDirectoryRealm.hadoopSecurityCredentialPath =
> jceks://user/zeppelin/zeppelin.jceks
> activeDirectoryRealm.searchBase = "OU=AADDC Users,DC=team2testdomain,DC=testabc
> ,DC=com"
> activeDirectoryRealm.url = ldaps://team2testdomain.testabc.com:636
> activeDirectoryRealm.principalSuffix = @TEAM2TESTDOMAIN.testabc.COM
> activeDirectoryRealm.groupRolesMap = "OU=AADDC
> Users,DC=team2testdomain,DC= testabc,DC=com":"admin"
> activeDirectoryRealm.authorizationCachingEnabled = true
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> securityManager.sessionManager = $sessionManager
> # 86,400,000 milliseconds = 24 hour
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
> [urls]
> # anon means the access is anonymous.
> # authcBasic means Basic Auth Security
> # To enfore security, comment the line below and uncomment the next one
> #/** = anon
> /** = authc
>
> Thanks
> Vartul
>