Rob, It appears to be bug, can you please file a JIRA to track this?
Thanks, Vinay On Fri, May 27, 2016 at 7:52 AM, Rob Anderson <rockclimbings...@gmail.com> wrote: > Hey Everyone, > > I'm new to Zeppelin as of this week. I've managed to build and stand up > the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to > authenticate via Shiro using Active Directory. I'm able > to authenticate without issue. > > I'm having a problem setting / honoring notebook specific permissions. > Based on the documentation, I should be able specify a user or group for > the read, write or ownership permissions ( > https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html). > This works as expected if I specify a username, but groups and roles do not > seem to work. > > *Error:* > Insufficient privileges to write notebook. > Allowed users or roles: [admin, zeppelinWrite] > But the user randerson belongs to: [randerson] > > It's seems clear that user randerson isn't mapped to any roles, or groups > (even though he of course is a member of the zeppelinWrite group in AD > and as a result also part of the local admin Role). A TCPDUMP reveals > that during login, all of my group memberships are in fact returned during > the ldap bind operation. However, when I attempt to modify a notebook, a > call is never made to AD, to pull back my group memberships. It doesn't > seem to look at my local group memberships (/etc/group) either. > > I'm guessing I'm misunderstanding a concept(s) and / or missing a config > option(s) (although I have tried numerous combinations of everything I can > find online). My Shiro.ini is listed below. Any help you can offer is > appreciated. > > Thanks much, > > Rob > ------------------------------------------------------- > shiro.ini > > [users] > > [main] > adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm > adRealm.url = ldap://<server>:389 > adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix > groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin" > adRealm.searchBase = DC=company,DC=com > adRealm.systemUsername= <username> > adRealm.systemPassword= <password> > adRealm.principalSuffix=<@company> > > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.globalSessionTimeout = 86400000 > shiro.loginUrl = /api/login > securityManager.realms = $adRealm > [roles] > admin = * > [urls] > /api/version = anon > /** = authcBasic > >
