zeppelin ActiveDirectory Authentication won't work as expected

[Yaar Reuveni <ya...@liveperson.com>]

Hey,

No response on previous times I've asked this, trying again.

I configured Shiro authentication using Active directory,
I have checked this both on version 0.6 and 0.7 and it doesn't work in both.
I have a specific group in our active directory, and I wish to grant access
to users *only form that group*, but no matter what I configure all users
from the whole active directory can access.

Config looks like this (excluding/changing specific naming):

*[main] *
*activeDirectoryRealm =
org.apache.zeppelin.server.ActiveDirectoryGroupRealm*
*activeDirectoryRealm.systemUsername = <Our system user>*
*activeDirectoryRealm.systemPassword = <His password>*
*activeDirectoryRealm.searchBase = CN=Company ZepUsers,OU=Groups,DC=Company
Domain,DC=com*
*activeDirectoryRealm.url = <our url>*
*activeDirectoryRealm.groupRolesMap = "CN=Company
**ZepUsers,**OU=Groups,DC=Company
Domain,DC=com":"admin"*
*activeDirectoryRealm.authorizationCachingEnabled = false*
*activeDirectoryRealm.principalSuffix=@ourdomain*
*securityManager.realms = $activeDirectoryRealm*

*sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager*
*securityManager.sessionManager = $sessionManager*

*securityManager.sessionManager.globalSessionTimeout = 86400000*
*shiro.loginUrl = /api/login *

*[urls]*
*/api/version = anon*

*/** = authc*
*/api/interpreter/** = authc, roles[admin]*
*/api/configurations/** = authc, roles[admin]*
*/api/credential/** = authc, roles[admin]  *


Note
1. There are spaces in AD path naming, not sure if this has any importance.
2. org.apache.zeppelin.server.ActiveDirectoryGroupRealm is the version 0.6
config in 0.7 I've used the newer class but all the rest exactly the same
3. The only one thing that does work is authorization, users out of the
group can't view the interpreter config page because it was defined so in
the urls

Can anyone help?



-- 
Yaar

-- 
This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this on behalf of the 
addressee you must not use, copy, disclose or take action based on this 
message or any information herein. 
If you have received this message in error, please advise the sender 
immediately by reply email and delete this message. Thank you.

Re: zeppelin ActiveDirectory Authentication won't work as expected

[Yaar Reuveni <ya...@liveperson.com>]

Formatting skewed the way it looks, trying to resend the shiro config just
so it's clear to read:

[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = <Our system user>
activeDirectoryRealm.systemPassword = <His password>
activeDirectoryRealm.searchBase = CN=Company ZepUsers,OU=Groups,DC=Company
Domain,DC=com
activeDirectoryRealm.url = <our url>
activeDirectoryRealm.groupRolesMap = "CN=Company
ZepUsers,OU=Groups,DC=Company Domain,DC=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.principalSuffix=@ourdomain
securityManager.realms = $activeDirectoryRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[urls]
/api/version = anon
/** = authc
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]

On Wed, Feb 22, 2017 at 11:19 AM, Yaar Reuveni <ya...@liveperson.com> wrote:

> Hey,
>
> No response on previous times I've asked this, trying again.
>
> I configured Shiro authentication using Active directory,
> I have checked this both on version 0.6 and 0.7 and it doesn't work in
> both.
> I have a specific group in our active directory, and I wish to grant
> access to users *only form that group*, but no matter what I configure
> all users from the whole active directory can access.
>
> Config looks like this (excluding/changing specific naming):
>
> *[main] *
> *activeDirectoryRealm =
> org.apache.zeppelin.server.ActiveDirectoryGroupRealm*
> *activeDirectoryRealm.systemUsername = <Our system user>*
> *activeDirectoryRealm.systemPassword = <His password>*
> *activeDirectoryRealm.searchBase = CN=Company
> ZepUsers,OU=Groups,DC=Company Domain,DC=com*
> *activeDirectoryRealm.url = <our url>*
> *activeDirectoryRealm.groupRolesMap = "CN=Company **ZepUsers,**OU=Groups,DC=Company
> Domain,DC=com":"admin"*
> *activeDirectoryRealm.authorizationCachingEnabled = false*
> *activeDirectoryRealm.principalSuffix=@ourdomain*
> *securityManager.realms = $activeDirectoryRealm*
>
> *sessionManager =
> org.apache.shiro.web.session.mgt.DefaultWebSessionManager*
> *securityManager.sessionManager = $sessionManager*
>
> *securityManager.sessionManager.globalSessionTimeout = 86400000*
> *shiro.loginUrl = /api/login *
>
> *[urls]*
> */api/version = anon*
>
> */** = authc*
> */api/interpreter/** = authc, roles[admin]*
> */api/configurations/** = authc, roles[admin]*
> */api/credential/** = authc, roles[admin]  *
>
>
> Note
> 1. There are spaces in AD path naming, not sure if this has any importance.
> 2. org.apache.zeppelin.server.ActiveDirectoryGroupRealm is the version
> 0.6 config in 0.7 I've used the newer class but all the rest exactly the
> same
> 3. The only one thing that does work is authorization, users out of the
> group can't view the interpreter config page because it was defined so in
> the urls
>
> Can anyone help?
>
>
>
> --
> Yaar
>



-- 

Yaar Reuveni
R&D Team Leader
T: +972-74-700-4603
<http://www.linkedin.com/company/164748> <http://twitter.com/liveperson>
<http://www.facebook.com/LivePersonInc> We Create Meaningful Connections
<https://liveperson.docsend.com/view/8iiswfp>

-- 
This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this on behalf of the 
addressee you must not use, copy, disclose or take action based on this 
message or any information herein. 
If you have received this message in error, please advise the sender 
immediately by reply email and delete this message. Thank you.

Re: zeppelin ActiveDirectory Authentication won't work as expected

[Michał Kabocik <mi...@gmail.com>]

Hello Yaar,

I have identical case as you have and also was asking for help on this
matter.
Unfortunately, based on my tests and assumptions, there is no such
functionality yet.
All, please correct me if I'm wrong.

King regards,
Michał

22.02.2017 10:19 "Yaar Reuveni" <ya...@liveperson.com> napisał(a):

> Hey,
>
> No response on previous times I've asked this, trying again.
>
> I configured Shiro authentication using Active directory,
> I have checked this both on version 0.6 and 0.7 and it doesn't work in
> both.
> I have a specific group in our active directory, and I wish to grant
> access to users *only form that group*, but no matter what I configure
> all users from the whole active directory can access.
>
> Config looks like this (excluding/changing specific naming):
>
> *[main] *
> *activeDirectoryRealm =
> org.apache.zeppelin.server.ActiveDirectoryGroupRealm*
> *activeDirectoryRealm.systemUsername = <Our system user>*
> *activeDirectoryRealm.systemPassword = <His password>*
> *activeDirectoryRealm.searchBase = CN=Company
> ZepUsers,OU=Groups,DC=Company Domain,DC=com*
> *activeDirectoryRealm.url = <our url>*
> *activeDirectoryRealm.groupRolesMap = "CN=Company **ZepUsers,**OU=Groups,DC=Company
> Domain,DC=com":"admin"*
> *activeDirectoryRealm.authorizationCachingEnabled = false*
> *activeDirectoryRealm.principalSuffix=@ourdomain*
> *securityManager.realms = $activeDirectoryRealm*
>
> *sessionManager =
> org.apache.shiro.web.session.mgt.DefaultWebSessionManager*
> *securityManager.sessionManager = $sessionManager*
>
> *securityManager.sessionManager.globalSessionTimeout = 86400000*
> *shiro.loginUrl = /api/login *
>
> *[urls]*
> */api/version = anon*
>
> */** = authc*
> */api/interpreter/** = authc, roles[admin]*
> */api/configurations/** = authc, roles[admin]*
> */api/credential/** = authc, roles[admin]  *
>
>
> Note
> 1. There are spaces in AD path naming, not sure if this has any importance.
> 2. org.apache.zeppelin.server.ActiveDirectoryGroupRealm is the version
> 0.6 config in 0.7 I've used the newer class but all the rest exactly the
> same
> 3. The only one thing that does work is authorization, users out of the
> group can't view the interpreter config page because it was defined so in
> the urls
>
> Can anyone help?
>
>
>
> --
> Yaar
>
> This message may contain confidential and/or privileged information.
> If you are not the addressee or authorized to receive this on behalf of
> the addressee you must not use, copy, disclose or take action based on this
> message or any information herein.
> If you have received this message in error, please advise the sender
> immediately by reply email and delete this message. Thank you.
>