You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Paul Brenner <pb...@placeiq.com> on 2017/04/14 20:06:56 UTC
Restricting interpreters to users in certain groups
I’m trying to limit one group of users to only be able to use a single interpreter on 0.7.1. Is this possible right now? I managed to get AD authentication working and I can setup roles and was able to limit the group so that users can’t access the interpreter page. But I can’t figure out how to set the interpreter permissions based on groups. In the interpreter permissions I only get auto suggestion of user names. So, a few questions:
Has
https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJPUjgXlegdjnhjhbc41tFsovGqMLGoSQtpyjkWwj0izJw4jI0o1fo-pi2ppzaGap38gMIk=
/
https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJ3OiRj1awdhgRStZNt6uEEqvHqALntYTMFz1kagzH7ZRmxVWYrwgcCnUmAI4m8uQhBDr_UdwFk9DX5c
actually been implemented? It says it is for notebook permissions but when I try to set notebook permissions I don’t see roles there either
Is pull 1236 only for notebook permissions? Is it possible that roles based permissions just aren’t implemented for interpreters yet?
What is the autosuggest even based on? If I try to start typing my first name “Paul” it finds no hits. No hits with my user name “pbrenner” either. But if I type my last name “Brenner” then autosuggest finds me.
What should be in the [roles] section in shiro.ini? I currently have group name = group name. Should it be group name =*? What does that even mean? Maybe group name = something else? See below to see what I have now which may be wrong.
Here is my shiro.ini which I did a lot of guessing to get working. Maybe there is an issue in there? Can anyone point me to anything at all that might be helpful?
[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = *******
activeDirectoryRealm.systemPassword = ********
#activeDirectoryRealm.searchBase = CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
#activeDirectoryRealm.url = ldaps://corp.placeiq.net:636
#activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636
activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net
activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops"
activeDirectoryRealm.authorizationCachingEnabled = true
### A sample for configuring LDAP Directory Realm
#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
# search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = cn=users,cn=accounts,dc=placeiq,dc=net
#ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389
#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#ldapRealm.groupNameAttribute = cn
#ldapRealm.groupRolesMap = engineering:admin, datascience:
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
securityManager.realm = $activeDirectoryRealm
[roles]
data_science = data_science
engineering = engineering
infra = infra
tech_heads = tech_heads
reporting = reporting
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/interpreter/** = authc, roles[engineering],roles[infra],roles[tech_heads],roles[data_science]
#/** = anon
/** = authc
http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/
Paul Brenner
https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq
https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ
https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq
DATA SCIENTIST
(217) 390-3033
http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/
Re: Restricting interpreters to users in certain groups
Posted by moon soo Lee <mo...@apache.org>.
Thanks for sharing the problem.
Currently, interpreter permission does not support group/role but only
users, not like notebook permission support all group/role/user.
Could you help creating an issue for it?
Regards,
moon
On Sat, Apr 15, 2017 at 5:07 AM Paul Brenner <pb...@placeiq.com> wrote:
> I’m trying to limit one group of users to only be able to use a single
> interpreter on 0.7.1. Is this possible right now? I managed to get AD
> authentication working and I can setup roles and was able to limit the
> group so that users can’t access the interpreter page. But I can’t figure
> out how to set the interpreter permissions based on groups. In the
> interpreter permissions I only get auto suggestion of user names. So, a few
> questions:
>
>
> 1. Has https://github.com/apache/zeppelin/pull/1236
> <https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJPUjgXlegdjnhjhbc41tFsovGqMLGoSQtpyjkWwj0izJw4jI0o1fo-pi2ppzaGap38gMIk=>
> / https://issues.apache.org/jira/browse/ZEPPELIN-1237
> <https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJ3OiRj1awdhgRStZNt6uEEqvHqALntYTMFz1kagzH7ZRmxVWYrwgcCnUmAI4m8uQhBDr_UdwFk9DX5c> actually
> been implemented? It says it is for notebook permissions but when I try to
> set notebook permissions I don’t see roles there either
> 2. Is pull 1236 only for notebook permissions? Is it possible that
> roles based permissions just aren’t implemented for interpreters yet?
> 3. What is the autosuggest even based on? If I try to start typing my
> first name “Paul” it finds no hits. No hits with my user name “pbrenner”
> either. But if I type my last name “Brenner” then autosuggest finds me.
> 4. What should be in the [roles] section in shiro.ini? I currently
> have group name = group name. Should it be group name =*? What does that
> even mean? Maybe group name = something else? See below to see what I have
> now which may be wrong.
>
>
> Here is my shiro.ini which I did a lot of guessing to get working. Maybe
> there is an issue in there? Can anyone point me to anything at all that
> might be helpful?
>
> [main]
> ### A sample for configuring Active Directory Realm
> #activeDirectoryRealm =
> org.apache.zeppelin.server.ActiveDirectoryGroupRealm
> activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = *******
> activeDirectoryRealm.systemPassword = ********
> #activeDirectoryRealm.searchBase =
> CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
> activeDirectoryRealm.searchBase =
> OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
> #activeDirectoryRealm.url = ldaps://corp.placeiq.net:636
> #activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636
> activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net
> activeDirectoryRealm.groupRolesMap = "CN=Security Data Science
> Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security
> Development Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security
> Infrastructure Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research
> & Development Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security
> Reporting & Analytics Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security
> Product Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data
> Operations Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops"
> activeDirectoryRealm.authorizationCachingEnabled = true
>
>
> ### A sample for configuring LDAP Directory Realm
> #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
> ## search base for ldap groups (only relevant for LdapGroupRealm):
> #ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
> #ldapRealm.contextFactory.url = ldap://ldap.test.com:389
> #ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
> #ldapRealm.contextFactory.authenticationMechanism = SIMPLE
>
> #ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
> #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
> # search base for ldap groups (only relevant for LdapGroupRealm):
> #ldapRealm.contextFactory.environment[ldap.searchBase] =
> cn=users,cn=accounts,dc=placeiq,dc=net
> #ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389
> #ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net
> #ldapRealm.contextFactory.authenticationMechanism = SIMPLE
> #ldapRealm.groupNameAttribute = cn
> #ldapRealm.groupRolesMap = engineering:admin, datascience:
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>
> ### If caching of user is required then uncomment below lines
> #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> #securityManager.cacheManager = $cacheManager
>
> securityManager.sessionManager = $sessionManager
> # 86,400,000 milliseconds = 24 hour
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
> securityManager.realm = $activeDirectoryRealm
>
> [roles]
> data_science = data_science
> engineering = engineering
> infra = infra
> tech_heads = tech_heads
> reporting = reporting
>
> [urls]
> # anon means the access is anonymous.
> # authcBasic means Basic Auth Security
> # authc means Form based Auth Security
> # To enfore security, comment the line below and uncomment the next one
> /api/version = anon
> /api/interpreter/** = authc,
> roles[engineering],roles[infra],roles[tech_heads],roles[data_science]
> #/** = anon
> /** = authc
>
> <http://www.placeiq.com/> <http://www.placeiq.com/>
> <http://www.placeiq.com/> Paul Brenner <https://twitter.com/placeiq>
> <https://twitter.com/placeiq> <https://twitter.com/placeiq>
> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ>
> <https://www.linkedin.com/company/placeiq>
> <https://www.linkedin.com/company/placeiq>
> DATA SCIENTIST
> *(217) 390-3033 *
>
> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
> <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/>
> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/>[image:
> PlaceIQ:Location Data Accuracy]
> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>
>