You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Paul Brenner <pb...@placeiq.com> on 2017/04/14 20:06:56 UTC

Restricting interpreters to users in certain groups

I’m trying to limit one group of users to only be able to use a single interpreter on 0.7.1. Is this possible right now? I managed to get AD authentication working and I can setup roles and was able to limit the group so that users can’t access the interpreter page. But I can’t figure out how to set the interpreter permissions based on groups. In the interpreter permissions I only get auto suggestion of user names. So, a few questions:

Has 
https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJPUjgXlegdjnhjhbc41tFsovGqMLGoSQtpyjkWwj0izJw4jI0o1fo-pi2ppzaGap38gMIk=
 / 
https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJ3OiRj1awdhgRStZNt6uEEqvHqALntYTMFz1kagzH7ZRmxVWYrwgcCnUmAI4m8uQhBDr_UdwFk9DX5c
 actually been implemented? It says it is for notebook permissions but when I try to set notebook permissions I don’t see roles there either

Is pull 1236 only for notebook permissions? Is it possible that roles based permissions just aren’t implemented for interpreters yet?

What is the autosuggest even based on? If I try to start typing my first name “Paul” it finds no hits. No hits with my user name “pbrenner” either. But if I type my last name “Brenner” then autosuggest finds me.

What should be in the [roles] section in shiro.ini? I currently have group name = group name. Should it be group name =*? What does that even mean? Maybe group name = something else? See below to see what I have now which may be wrong.

Here is my shiro.ini which I did a lot of guessing to get working. Maybe there is an issue in there? Can anyone point me to anything at all that might be helpful?

[main]

### A sample for configuring Active Directory Realm

#activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm

activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername = *******

activeDirectoryRealm.systemPassword = ********

#activeDirectoryRealm.searchBase = CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net

activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net

#activeDirectoryRealm.url = ldaps://corp.placeiq.net:636

#activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636

activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net

activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops"

activeDirectoryRealm.authorizationCachingEnabled = true

### A sample for configuring LDAP Directory Realm

#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm

## search base for ldap groups (only relevant for LdapGroupRealm):

#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM

#ldapRealm.contextFactory.url = ldap://ldap.test.com:389

#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM

#ldapRealm.contextFactory.authenticationMechanism = SIMPLE

#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm

#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm

# search base for ldap groups (only relevant for LdapGroupRealm):

#ldapRealm.contextFactory.environment[ldap.searchBase] = cn=users,cn=accounts,dc=placeiq,dc=net

#ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389

#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net

#ldapRealm.contextFactory.authenticationMechanism = SIMPLE

#ldapRealm.groupNameAttribute = cn

#ldapRealm.groupRolesMap = engineering:admin, datascience:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines

#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager

#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager

# 86,400,000 milliseconds = 24 hour

securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

securityManager.realm = $activeDirectoryRealm

[roles]

data_science = data_science

engineering = engineering

infra = infra

tech_heads = tech_heads

reporting = reporting

[urls]

# anon means the access is anonymous.

# authcBasic means Basic Auth Security

# authc means Form based Auth Security

# To enfore security, comment the line below and uncomment the next one

/api/version = anon

/api/interpreter/** = authc, roles[engineering],roles[infra],roles[tech_heads],roles[data_science]

#/** = anon

/** = authc

http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/

Paul Brenner

https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq
https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ
https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq

DATA SCIENTIST

(217) 390-3033 

 

http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/

Re: Restricting interpreters to users in certain groups

Posted by moon soo Lee <mo...@apache.org>.
Thanks for sharing the problem.

Currently, interpreter permission does not support group/role but only
users, not like notebook permission support all group/role/user.

Could you help creating an issue for it?

Regards,
moon

On Sat, Apr 15, 2017 at 5:07 AM Paul Brenner <pb...@placeiq.com> wrote:

> I’m trying to limit one group of users to only be able to use a single
> interpreter on 0.7.1. Is this possible right now? I managed to get AD
> authentication working and I can setup roles and was able to limit the
> group so that users can’t access the interpreter page. But I can’t figure
> out how to set the interpreter permissions based on groups. In the
> interpreter permissions I only get auto suggestion of user names. So, a few
> questions:
>
>
>    1. Has https://github.com/apache/zeppelin/pull/1236
>    <https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJPUjgXlegdjnhjhbc41tFsovGqMLGoSQtpyjkWwj0izJw4jI0o1fo-pi2ppzaGap38gMIk=>
>     / https://issues.apache.org/jira/browse/ZEPPELIN-1237
>    <https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJ3OiRj1awdhgRStZNt6uEEqvHqALntYTMFz1kagzH7ZRmxVWYrwgcCnUmAI4m8uQhBDr_UdwFk9DX5c> actually
>    been implemented? It says it is for notebook permissions but when I try to
>    set notebook permissions I don’t see roles there either
>    2. Is pull 1236 only for notebook permissions? Is it possible that
>    roles based permissions just aren’t implemented for interpreters yet?
>    3. What is the autosuggest even based on? If I try to start typing my
>    first name “Paul” it finds no hits. No hits with my user name “pbrenner”
>    either. But if I type my last name “Brenner” then autosuggest finds me.
>    4. What should be in the [roles] section in shiro.ini? I currently
>    have group name = group name. Should it be group name =*? What does that
>    even mean? Maybe group name = something else? See below to see what I have
>    now which may be wrong.
>
>
> Here is my shiro.ini which I did a lot of guessing to get working. Maybe
> there is an issue in there? Can anyone point me to anything at all that
> might be helpful?
>
> [main]
> ### A sample for configuring Active Directory Realm
> #activeDirectoryRealm =
> org.apache.zeppelin.server.ActiveDirectoryGroupRealm
> activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = *******
> activeDirectoryRealm.systemPassword = ********
> #activeDirectoryRealm.searchBase =
> CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
> activeDirectoryRealm.searchBase =
> OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
> #activeDirectoryRealm.url = ldaps://corp.placeiq.net:636
> #activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636
> activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net
> activeDirectoryRealm.groupRolesMap = "CN=Security Data Science
> Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security
> Development Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security
> Infrastructure Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research
> & Development Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security
> Reporting & Analytics Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security
> Product Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data
> Operations Department,OU=Department Security Groups,OU=Security
> Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops"
> activeDirectoryRealm.authorizationCachingEnabled = true
>
>
> ### A sample for configuring LDAP Directory Realm
> #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
> ## search base for ldap groups (only relevant for LdapGroupRealm):
> #ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
> #ldapRealm.contextFactory.url = ldap://ldap.test.com:389
> #ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
> #ldapRealm.contextFactory.authenticationMechanism = SIMPLE
>
> #ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
> #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
> # search base for ldap groups (only relevant for LdapGroupRealm):
> #ldapRealm.contextFactory.environment[ldap.searchBase] =
> cn=users,cn=accounts,dc=placeiq,dc=net
> #ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389
> #ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net
> #ldapRealm.contextFactory.authenticationMechanism = SIMPLE
> #ldapRealm.groupNameAttribute = cn
> #ldapRealm.groupRolesMap = engineering:admin, datascience:
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>
> ### If caching of user is required then uncomment below lines
> #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> #securityManager.cacheManager = $cacheManager
>
> securityManager.sessionManager = $sessionManager
> # 86,400,000 milliseconds = 24 hour
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
> securityManager.realm = $activeDirectoryRealm
>
> [roles]
> data_science = data_science
> engineering = engineering
> infra = infra
> tech_heads = tech_heads
> reporting = reporting
>
> [urls]
> # anon means the access is anonymous.
> # authcBasic means Basic Auth Security
> # authc means Form based Auth Security
> # To enfore security, comment the line below and uncomment the next one
> /api/version = anon
> /api/interpreter/** = authc,
> roles[engineering],roles[infra],roles[tech_heads],roles[data_science]
> #/** = anon
> /** = authc
>
> <http://www.placeiq.com/> <http://www.placeiq.com/>
> <http://www.placeiq.com/> Paul Brenner <https://twitter.com/placeiq>
> <https://twitter.com/placeiq> <https://twitter.com/placeiq>
> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ>
> <https://www.linkedin.com/company/placeiq>
> <https://www.linkedin.com/company/placeiq>
> DATA SCIENTIST
> *(217) 390-3033 *
>
> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
> <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/>
> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/>[image:
> PlaceIQ:Location Data Accuracy]
> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>
>