You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by "Rob Anderson (JIRA)" <ji...@apache.org> on 2016/06/02 19:54:59 UTC
[jira] [Created] (ZEPPELIN-946) Notebook specific permissions not
honoring group / role permissions
Rob Anderson created ZEPPELIN-946:
-------------------------------------
Summary: Notebook specific permissions not honoring group / role permissions
Key: ZEPPELIN-946
URL: https://issues.apache.org/jira/browse/ZEPPELIN-946
Project: Zeppelin
Issue Type: Bug
Affects Versions: 0.6.0
Reporter: Rob Anderson
Error:
Insufficient privileges to write notebook.
Allowed users or roles: [admin, zeppelinWrite]
But the user randerson belongs to: [randerson]
It's seems clear that user randerson isn't mapped to any roles, or groups (even though he of course is a member of the zeppelinWrite group in AD and as a result also part of the local admin Role). A TCPDUMP reveals that during login, all of my group memberships are in fact returned during the ldap bind operation. However, when I attempt to modify a notebook, a call is never made to AD, to pull back my group memberships. It doesn't seem to look at my local group memberships (/etc/group) either.
shiro.ini
[users]
[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://<server>:389
adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
adRealm.searchBase = DC=company,DC=com
adRealm.systemUsername= <username>
adRealm.systemPassword= <password>
adRealm.principalSuffix=<@company>
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
securityManager.realms = $adRealm
[roles]
admin = *
[urls]
/api/version = anon
/** = authcBasic
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)