Hi Krzysztof, It seems currently there is no easy way to disallow notebook creation for particular users or groups.
If you can create an issue on our JIRA, that would be helpful. Thanks, moon On Mon, Jul 18, 2016 at 9:59 PM Krzysztof Zarzycki <k.zarzy...@gmail.com> wrote: > Hi Vinay. Thank you for your advice. > But the thing I'm looking is not how to limit a particular note. I would > like to disallow *creation* of new notes to some users. I don't know how to > do it currently. For now I can either disallow complete access to > Zeppelin, or give access together with creating new nodes. > Do you have an idea how to achieve it? > > Thanks, > Krzysztof > > > > > > pt., 15.07.2016 o 17:20 użytkownik Vinay Shukla <vinayshu...@gmail.com> > napisał: > >> Krzysztof, >> >> Today access control is configured at the Note level & not done a-priori >> in the shiro.ini. >> >> You configure authentication in shiro.ini & the notebook creator can set >> access control by clicking the lock icon on the notebook. >> >> Thanks, >> Vinay >> >> >> >> On Friday, July 15, 2016, Krzysztof Zarzycki <k.zarzy...@gmail.com> >> wrote: >> >>> Hi, >>> I'm configuring security for Zeppelin and I would like to be able to >>> restrict access the following way: >>> 1. only admins are able to create new notebooks >>> 2. everyone logged in can read notebooks. (Actually, finally this should >>> be also limited to the group). >>> 3. anonymous access is forbidden. >>> >>> I thought that I can do it with urls and roles, by specifying which urls >>> a particular role can access, but I'm unable to make it work. >>> >>> My current configuration of shiro.ini looks like this: >>> [main] >>> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm >>> adRealm.url = ldap://ad.server:389 >>> adRealm.groupRolesMap = "CN=Admins,DC=example,DC=com":"admin" >>> adRealm.searchBase = dc=example,dc=com >>> adRealm.systemUsername= systemUser >>> adRealm.systemPassword= systemPassword >>> adRealm.principalSuffix= @example.com >>> adRealm.authorizationCachingEnabled = true >>> sessionManager = >>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager >>> securityManager.sessionManager = $sessionManager >>> securityManager.sessionManager.globalSessionTimeout = 86400000 >>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager >>> securityManager.cacheManager = $cacheManager >>> securityManager.realms = $adRealm >>> shiro.loginUrl = /api/login >>> >>> [roles] >>> >>> admin = * >>> >>> [urls] >>> /api/version = anon >>> # I've tried multiple url filters: >>> /api/interpreter/** = authcBasic, roles[admin] >>> /api/notebook** = authcBasic, roles[admin] >>> /api/notebook/** = authcBasic, roles[admin] >>> /"#"/notebook/** = authcBasic, roles[admin] >>> /** = authcBasic >>> # I tried also above lines with authc, no success. >>> >>> # Only this option successfully limits access to admins, but of whole >>> Zeppelin, not only notebook creation. >>> /** = authcBasic, roles[admin] >>> >>> With this configuration, I log in as non-admin user and I'm still able >>> to create new notebooks... >>> Could you please help me configure Zeppelin to achieve my goal? >>> >>> Thanks a lot, >>> Krzysztof >>> >>
