You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Krzysztof Zarzycki <k....@gmail.com> on 2016/07/15 14:39:29 UTC
Forbid creating new notes
Hi,
I'm configuring security for Zeppelin and I would like to be able to
restrict access the following way:
1. only admins are able to create new notebooks
2. everyone logged in can read notebooks. (Actually, finally this should be
also limited to the group).
3. anonymous access is forbidden.
I thought that I can do it with urls and roles, by specifying which urls a
particular role can access, but I'm unable to make it work.
My current configuration of shiro.ini looks like this:
[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://ad.server:389
adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin"
adRealm.searchBase = dc=example,dc=com
adRealm.systemUsername= systemUser
adRealm.systemPassword= systemPassword
adRealm.principalSuffix= @example.com
adRealm.authorizationCachingEnabled = true
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $adRealm
shiro.loginUrl = /api/login
[roles]
admin = *
[urls]
/api/version = anon
# I've tried multiple url filters:
/api/interpreter/** = authcBasic, roles[admin]
/api/notebook** = authcBasic, roles[admin]
/api/notebook/** = authcBasic, roles[admin]
/"#"/notebook/** = authcBasic, roles[admin]
/** = authcBasic
# I tried also above lines with authc, no success.
# Only this option successfully limits access to admins, but of whole
Zeppelin, not only notebook creation.
/** = authcBasic, roles[admin]
With this configuration, I log in as non-admin user and I'm still able to
create new notebooks...
Could you please help me configure Zeppelin to achieve my goal?
Thanks a lot,
Krzysztof
Re: Forbid creating new notes
Posted by moon soo Lee <mo...@apache.org>.
Hi Krzysztof,
It seems currently there is no easy way to disallow notebook creation for
particular users or groups.
If you can create an issue on our JIRA, that would be helpful.
Thanks,
moon
On Mon, Jul 18, 2016 at 9:59 PM Krzysztof Zarzycki <k....@gmail.com>
wrote:
> Hi Vinay. Thank you for your advice.
> But the thing I'm looking is not how to limit a particular note. I would
> like to disallow *creation* of new notes to some users. I don't know how to
> do it currently. For now I can either disallow complete access to
> Zeppelin, or give access together with creating new nodes.
> Do you have an idea how to achieve it?
>
> Thanks,
> Krzysztof
>
>
>
>
>
> pt., 15.07.2016 o 17:20 użytkownik Vinay Shukla <vi...@gmail.com>
> napisał:
>
>> Krzysztof,
>>
>> Today access control is configured at the Note level & not done a-priori
>> in the shiro.ini.
>>
>> You configure authentication in shiro.ini & the notebook creator can set
>> access control by clicking the lock icon on the notebook.
>>
>> Thanks,
>> Vinay
>>
>>
>>
>> On Friday, July 15, 2016, Krzysztof Zarzycki <k....@gmail.com>
>> wrote:
>>
>>> Hi,
>>> I'm configuring security for Zeppelin and I would like to be able to
>>> restrict access the following way:
>>> 1. only admins are able to create new notebooks
>>> 2. everyone logged in can read notebooks. (Actually, finally this should
>>> be also limited to the group).
>>> 3. anonymous access is forbidden.
>>>
>>> I thought that I can do it with urls and roles, by specifying which urls
>>> a particular role can access, but I'm unable to make it work.
>>>
>>> My current configuration of shiro.ini looks like this:
>>> [main]
>>> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>>> adRealm.url = ldap://ad.server:389
>>> adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin"
>>> adRealm.searchBase = dc=example,dc=com
>>> adRealm.systemUsername= systemUser
>>> adRealm.systemPassword= systemPassword
>>> adRealm.principalSuffix= @example.com
>>> adRealm.authorizationCachingEnabled = true
>>> sessionManager =
>>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>>> securityManager.sessionManager = $sessionManager
>>> securityManager.sessionManager.globalSessionTimeout = 86400000
>>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>>> securityManager.cacheManager = $cacheManager
>>> securityManager.realms = $adRealm
>>> shiro.loginUrl = /api/login
>>>
>>> [roles]
>>>
>>> admin = *
>>>
>>> [urls]
>>> /api/version = anon
>>> # I've tried multiple url filters:
>>> /api/interpreter/** = authcBasic, roles[admin]
>>> /api/notebook** = authcBasic, roles[admin]
>>> /api/notebook/** = authcBasic, roles[admin]
>>> /"#"/notebook/** = authcBasic, roles[admin]
>>> /** = authcBasic
>>> # I tried also above lines with authc, no success.
>>>
>>> # Only this option successfully limits access to admins, but of whole
>>> Zeppelin, not only notebook creation.
>>> /** = authcBasic, roles[admin]
>>>
>>> With this configuration, I log in as non-admin user and I'm still able
>>> to create new notebooks...
>>> Could you please help me configure Zeppelin to achieve my goal?
>>>
>>> Thanks a lot,
>>> Krzysztof
>>>
>>
Re: Forbid creating new notes
Posted by Krzysztof Zarzycki <k....@gmail.com>.
Hi Vinay. Thank you for your advice.
But the thing I'm looking is not how to limit a particular note. I would
like to disallow *creation* of new notes to some users. I don't know how to
do it currently. For now I can either disallow complete access to
Zeppelin, or give access together with creating new nodes.
Do you have an idea how to achieve it?
Thanks,
Krzysztof
pt., 15.07.2016 o 17:20 użytkownik Vinay Shukla <vi...@gmail.com>
napisał:
> Krzysztof,
>
> Today access control is configured at the Note level & not done a-priori
> in the shiro.ini.
>
> You configure authentication in shiro.ini & the notebook creator can set
> access control by clicking the lock icon on the notebook.
>
> Thanks,
> Vinay
>
>
>
> On Friday, July 15, 2016, Krzysztof Zarzycki <k....@gmail.com> wrote:
>
>> Hi,
>> I'm configuring security for Zeppelin and I would like to be able to
>> restrict access the following way:
>> 1. only admins are able to create new notebooks
>> 2. everyone logged in can read notebooks. (Actually, finally this should
>> be also limited to the group).
>> 3. anonymous access is forbidden.
>>
>> I thought that I can do it with urls and roles, by specifying which urls
>> a particular role can access, but I'm unable to make it work.
>>
>> My current configuration of shiro.ini looks like this:
>> [main]
>> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>> adRealm.url = ldap://ad.server:389
>> adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin"
>> adRealm.searchBase = dc=example,dc=com
>> adRealm.systemUsername= systemUser
>> adRealm.systemPassword= systemPassword
>> adRealm.principalSuffix= @example.com
>> adRealm.authorizationCachingEnabled = true
>> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> securityManager.sessionManager = $sessionManager
>> securityManager.sessionManager.globalSessionTimeout = 86400000
>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> securityManager.cacheManager = $cacheManager
>> securityManager.realms = $adRealm
>> shiro.loginUrl = /api/login
>>
>> [roles]
>>
>> admin = *
>>
>> [urls]
>> /api/version = anon
>> # I've tried multiple url filters:
>> /api/interpreter/** = authcBasic, roles[admin]
>> /api/notebook** = authcBasic, roles[admin]
>> /api/notebook/** = authcBasic, roles[admin]
>> /"#"/notebook/** = authcBasic, roles[admin]
>> /** = authcBasic
>> # I tried also above lines with authc, no success.
>>
>> # Only this option successfully limits access to admins, but of whole
>> Zeppelin, not only notebook creation.
>> /** = authcBasic, roles[admin]
>>
>> With this configuration, I log in as non-admin user and I'm still able to
>> create new notebooks...
>> Could you please help me configure Zeppelin to achieve my goal?
>>
>> Thanks a lot,
>> Krzysztof
>>
>
Re: Forbid creating new notes
Posted by Vinay Shukla <vi...@gmail.com>.
Krzysztof,
Today access control is configured at the Note level & not done a-priori in
the shiro.ini.
You configure authentication in shiro.ini & the notebook creator can set
access control by clicking the lock icon on the notebook.
Thanks,
Vinay
On Friday, July 15, 2016, Krzysztof Zarzycki <k....@gmail.com> wrote:
> Hi,
> I'm configuring security for Zeppelin and I would like to be able to
> restrict access the following way:
> 1. only admins are able to create new notebooks
> 2. everyone logged in can read notebooks. (Actually, finally this should
> be also limited to the group).
> 3. anonymous access is forbidden.
>
> I thought that I can do it with urls and roles, by specifying which urls a
> particular role can access, but I'm unable to make it work.
>
> My current configuration of shiro.ini looks like this:
> [main]
> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> adRealm.url = ldap://ad.server:389
> adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin"
> adRealm.searchBase = dc=example,dc=com
> adRealm.systemUsername= systemUser
> adRealm.systemPassword= systemPassword
> adRealm.principalSuffix= @example.com
> adRealm.authorizationCachingEnabled = true
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.globalSessionTimeout = 86400000
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> securityManager.realms = $adRealm
> shiro.loginUrl = /api/login
>
> [roles]
>
> admin = *
>
> [urls]
> /api/version = anon
> # I've tried multiple url filters:
> /api/interpreter/** = authcBasic, roles[admin]
> /api/notebook** = authcBasic, roles[admin]
> /api/notebook/** = authcBasic, roles[admin]
> /"#"/notebook/** = authcBasic, roles[admin]
> /** = authcBasic
> # I tried also above lines with authc, no success.
>
> # Only this option successfully limits access to admins, but of whole
> Zeppelin, not only notebook creation.
> /** = authcBasic, roles[admin]
>
> With this configuration, I log in as non-admin user and I'm still able to
> create new notebooks...
> Could you please help me configure Zeppelin to achieve my goal?
>
> Thanks a lot,
> Krzysztof
>