Thanks Rob. On Thursday, June 2, 2016, Rob Anderson <rockclimbings...@gmail.com> wrote:
> Done, thanks. > > https://issues.apache.org/jira/browse/ZEPPELIN-946 > > On Wed, Jun 1, 2016 at 1:06 PM, Vinay Shukla <vinayshu...@gmail.com > <javascript:_e(%7B%7D,'cvml','vinayshu...@gmail.com');>> wrote: > >> Rob, >> >> It appears to be bug, can you please file a JIRA to track this? >> >> Thanks, >> Vinay >> >> On Fri, May 27, 2016 at 7:52 AM, Rob Anderson <rockclimbings...@gmail.com >> <javascript:_e(%7B%7D,'cvml','rockclimbings...@gmail.com');>> wrote: >> >>> Hey Everyone, >>> >>> I'm new to Zeppelin as of this week. I've managed to build and stand up >>> the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to >>> authenticate via Shiro using Active Directory. I'm able >>> to authenticate without issue. >>> >>> I'm having a problem setting / honoring notebook specific permissions. >>> Based on the documentation, I should be able specify a user or group for >>> the read, write or ownership permissions ( >>> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html). >>> This works as expected if I specify a username, but groups and roles do not >>> seem to work. >>> >>> *Error:* >>> Insufficient privileges to write notebook. >>> Allowed users or roles: [admin, zeppelinWrite] >>> But the user randerson belongs to: [randerson] >>> >>> It's seems clear that user randerson isn't mapped to any roles, or >>> groups (even though he of course is a member of the zeppelinWrite group >>> in AD and as a result also part of the local admin Role). A TCPDUMP >>> reveals that during login, all of my group memberships are in fact returned >>> during the ldap bind operation. However, when I attempt to modify a >>> notebook, a call is never made to AD, to pull back my group memberships. >>> It doesn't seem to look at my local group memberships (/etc/group) either. >>> >>> I'm guessing I'm misunderstanding a concept(s) and / or missing a config >>> option(s) (although I have tried numerous combinations of everything I can >>> find online). My Shiro.ini is listed below. Any help you can offer is >>> appreciated. >>> >>> Thanks much, >>> >>> Rob >>> ------------------------------------------------------- >>> shiro.ini >>> >>> [users] >>> >>> [main] >>> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm >>> adRealm.url = ldap://<server>:389 >>> adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix >>> groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin" >>> adRealm.searchBase = DC=company,DC=com >>> adRealm.systemUsername= <username> >>> adRealm.systemPassword= <password> >>> adRealm.principalSuffix=<@company> >>> >>> sessionManager = >>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager >>> securityManager.sessionManager = $sessionManager >>> securityManager.sessionManager.globalSessionTimeout = 86400000 >>> shiro.loginUrl = /api/login >>> securityManager.realms = $adRealm >>> [roles] >>> admin = * >>> [urls] >>> /api/version = anon >>> /** = authcBasic >>> >>> >> >