Formatting skewed the way it looks, trying to resend the shiro config just so it's clear to read:
[main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = <Our system user> activeDirectoryRealm.systemPassword = <His password> activeDirectoryRealm.searchBase = CN=Company ZepUsers,OU=Groups,DC=Company Domain,DC=com activeDirectoryRealm.url = <our url> activeDirectoryRealm.groupRolesMap = "CN=Company ZepUsers,OU=Groups,DC=Company Domain,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = false activeDirectoryRealm.principalSuffix=@ourdomain securityManager.realms = $activeDirectoryRealm sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [urls] /api/version = anon /** = authc /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] On Wed, Feb 22, 2017 at 11:19 AM, Yaar Reuveni <ya...@liveperson.com> wrote: > Hey, > > No response on previous times I've asked this, trying again. > > I configured Shiro authentication using Active directory, > I have checked this both on version 0.6 and 0.7 and it doesn't work in > both. > I have a specific group in our active directory, and I wish to grant > access to users *only form that group*, but no matter what I configure > all users from the whole active directory can access. > > Config looks like this (excluding/changing specific naming): > > *[main] * > *activeDirectoryRealm = > org.apache.zeppelin.server.ActiveDirectoryGroupRealm* > *activeDirectoryRealm.systemUsername = <Our system user>* > *activeDirectoryRealm.systemPassword = <His password>* > *activeDirectoryRealm.searchBase = CN=Company > ZepUsers,OU=Groups,DC=Company Domain,DC=com* > *activeDirectoryRealm.url = <our url>* > *activeDirectoryRealm.groupRolesMap = "CN=Company > **ZepUsers,**OU=Groups,DC=Company > Domain,DC=com":"admin"* > *activeDirectoryRealm.authorizationCachingEnabled = false* > *activeDirectoryRealm.principalSuffix=@ourdomain* > *securityManager.realms = $activeDirectoryRealm* > > *sessionManager = > org.apache.shiro.web.session.mgt.DefaultWebSessionManager* > *securityManager.sessionManager = $sessionManager* > > *securityManager.sessionManager.globalSessionTimeout = 86400000* > *shiro.loginUrl = /api/login * > > *[urls]* > */api/version = anon* > > */** = authc* > */api/interpreter/** = authc, roles[admin]* > */api/configurations/** = authc, roles[admin]* > */api/credential/** = authc, roles[admin] * > > > Note > 1. There are spaces in AD path naming, not sure if this has any importance. > 2. org.apache.zeppelin.server.ActiveDirectoryGroupRealm is the version > 0.6 config in 0.7 I've used the newer class but all the rest exactly the > same > 3. The only one thing that does work is authorization, users out of the > group can't view the interpreter config page because it was defined so in > the urls > > Can anyone help? > > > > -- > Yaar > -- Yaar Reuveni R&D Team Leader T: +972-74-700-4603 <http://www.linkedin.com/company/164748> <http://twitter.com/liveperson> <http://www.facebook.com/LivePersonInc> We Create Meaningful Connections <https://liveperson.docsend.com/view/8iiswfp> -- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this on behalf of the addressee you must not use, copy, disclose or take action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Thank you.
