Thanks Rob.

On Thursday, June 2, 2016, Rob Anderson <rockclimbings...@gmail.com> wrote:

> Done, thanks.
>
> https://issues.apache.org/jira/browse/ZEPPELIN-946
>
> On Wed, Jun 1, 2016 at 1:06 PM, Vinay Shukla <vinayshu...@gmail.com
> <javascript:_e(%7B%7D,'cvml','vinayshu...@gmail.com');>> wrote:
>
>> Rob,
>>
>> It appears to be bug, can you please file a JIRA to track this?
>>
>> Thanks,
>> Vinay
>>
>> On Fri, May 27, 2016 at 7:52 AM, Rob Anderson <rockclimbings...@gmail.com
>> <javascript:_e(%7B%7D,'cvml','rockclimbings...@gmail.com');>> wrote:
>>
>>> Hey Everyone,
>>>
>>> I'm new to Zeppelin as of this week.  I've managed to build and stand up
>>>  the *0.6.0-incubating-SNAPSHOT.  *I've configured Zeppelin to
>>> authenticate via Shiro using Active Directory.  I'm able
>>> to authenticate without issue.
>>>
>>> I'm having a problem setting / honoring notebook specific permissions.
>>> Based on the documentation, I should be able specify a user or group for
>>> the read, write or ownership permissions (
>>> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html).
>>> This works as expected if I specify a username, but groups and roles do not
>>> seem to work.
>>>
>>> *Error:*
>>> Insufficient privileges to write notebook.
>>> Allowed users or roles: [admin, zeppelinWrite]
>>> But the user randerson belongs to: [randerson]
>>>
>>> It's seems clear that user randerson isn't mapped to any roles, or
>>> groups (even though he of course is a member of the zeppelinWrite group
>>> in AD and as a result also part of the local admin Role).  A TCPDUMP
>>> reveals that during login, all of my group memberships are in fact returned
>>> during the ldap bind operation.  However, when I attempt to modify a
>>> notebook, a call is never made to AD, to pull back my group memberships.
>>> It doesn't seem to look at my local group memberships (/etc/group) either.
>>>
>>> I'm guessing I'm misunderstanding a concept(s) and / or missing a config
>>> option(s) (although I have tried numerous combinations of everything I can
>>> find online).  My Shiro.ini is listed below.  Any help you can offer is
>>> appreciated.
>>>
>>> Thanks much,
>>>
>>> Rob
>>> -------------------------------------------------------
>>> shiro.ini
>>>
>>> [users]
>>>
>>> [main]
>>> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>>> adRealm.url = ldap://<server>:389
>>> adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix
>>> groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
>>> adRealm.searchBase = DC=company,DC=com
>>> adRealm.systemUsername= <username>
>>> adRealm.systemPassword= <password>
>>> adRealm.principalSuffix=<@company>
>>>
>>> sessionManager =
>>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>>> securityManager.sessionManager = $sessionManager
>>> securityManager.sessionManager.globalSessionTimeout = 86400000
>>> shiro.loginUrl = /api/login
>>> securityManager.realms = $adRealm
>>> [roles]
>>> admin = *
>>> [urls]
>>> /api/version = anon
>>> /** = authcBasic
>>>
>>>
>>
>

Reply via email to