Hello Yaar, I have identical case as you have and also was asking for help on this matter. Unfortunately, based on my tests and assumptions, there is no such functionality yet. All, please correct me if I'm wrong.
King regards, Michał 22.02.2017 10:19 "Yaar Reuveni" <ya...@liveperson.com> napisał(a): > Hey, > > No response on previous times I've asked this, trying again. > > I configured Shiro authentication using Active directory, > I have checked this both on version 0.6 and 0.7 and it doesn't work in > both. > I have a specific group in our active directory, and I wish to grant > access to users *only form that group*, but no matter what I configure > all users from the whole active directory can access. > > Config looks like this (excluding/changing specific naming): > > *[main] * > *activeDirectoryRealm = > org.apache.zeppelin.server.ActiveDirectoryGroupRealm* > *activeDirectoryRealm.systemUsername = <Our system user>* > *activeDirectoryRealm.systemPassword = <His password>* > *activeDirectoryRealm.searchBase = CN=Company > ZepUsers,OU=Groups,DC=Company Domain,DC=com* > *activeDirectoryRealm.url = <our url>* > *activeDirectoryRealm.groupRolesMap = "CN=Company > **ZepUsers,**OU=Groups,DC=Company > Domain,DC=com":"admin"* > *activeDirectoryRealm.authorizationCachingEnabled = false* > *activeDirectoryRealm.principalSuffix=@ourdomain* > *securityManager.realms = $activeDirectoryRealm* > > *sessionManager = > org.apache.shiro.web.session.mgt.DefaultWebSessionManager* > *securityManager.sessionManager = $sessionManager* > > *securityManager.sessionManager.globalSessionTimeout = 86400000* > *shiro.loginUrl = /api/login * > > *[urls]* > */api/version = anon* > > */** = authc* > */api/interpreter/** = authc, roles[admin]* > */api/configurations/** = authc, roles[admin]* > */api/credential/** = authc, roles[admin] * > > > Note > 1. There are spaces in AD path naming, not sure if this has any importance. > 2. org.apache.zeppelin.server.ActiveDirectoryGroupRealm is the version > 0.6 config in 0.7 I've used the newer class but all the rest exactly the > same > 3. The only one thing that does work is authorization, users out of the > group can't view the interpreter config page because it was defined so in > the urls > > Can anyone help? > > > > -- > Yaar > > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this on behalf of > the addressee you must not use, copy, disclose or take action based on this > message or any information herein. > If you have received this message in error, please advise the sender > immediately by reply email and delete this message. Thank you. >
