I’m trying to limit one group of users to only be able to use a single interpreter on 0.7.1. Is this possible right now? I managed to get AD authentication working and I can setup roles and was able to limit the group so that users can’t access the interpreter page. But I can’t figure out how to set the interpreter permissions based on groups. In the interpreter permissions I only get auto suggestion of user names. So, a few questions:
Has https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJPUjgXlegdjnhjhbc41tFsovGqMLGoSQtpyjkWwj0izJw4jI0o1fo-pi2ppzaGap38gMIk= / https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJ3OiRj1awdhgRStZNt6uEEqvHqALntYTMFz1kagzH7ZRmxVWYrwgcCnUmAI4m8uQhBDr_UdwFk9DX5c actually been implemented? It says it is for notebook permissions but when I try to set notebook permissions I don’t see roles there either Is pull 1236 only for notebook permissions? Is it possible that roles based permissions just aren’t implemented for interpreters yet? What is the autosuggest even based on? If I try to start typing my first name “Paul” it finds no hits. No hits with my user name “pbrenner” either. But if I type my last name “Brenner” then autosuggest finds me. What should be in the [roles] section in shiro.ini? I currently have group name = group name. Should it be group name =*? What does that even mean? Maybe group name = something else? See below to see what I have now which may be wrong. Here is my shiro.ini which I did a lot of guessing to get working. Maybe there is an issue in there? Can anyone point me to anything at all that might be helpful? [main] ### A sample for configuring Active Directory Realm #activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = ******* activeDirectoryRealm.systemPassword = ******** #activeDirectoryRealm.searchBase = CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net #activeDirectoryRealm.url = ldaps://corp.placeiq.net:636 #activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636 activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops" activeDirectoryRealm.authorizationCachingEnabled = true ### A sample for configuring LDAP Directory Realm #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm ## search base for ldap groups (only relevant for LdapGroupRealm): #ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM #ldapRealm.contextFactory.url = ldap://ldap.test.com:389 #ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM #ldapRealm.contextFactory.authenticationMechanism = SIMPLE #ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm # search base for ldap groups (only relevant for LdapGroupRealm): #ldapRealm.contextFactory.environment[ldap.searchBase] = cn=users,cn=accounts,dc=placeiq,dc=net #ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389 #ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net #ldapRealm.contextFactory.authenticationMechanism = SIMPLE #ldapRealm.groupNameAttribute = cn #ldapRealm.groupRolesMap = engineering:admin, datascience: sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager ### If caching of user is required then uncomment below lines #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager #securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realm = $activeDirectoryRealm [roles] data_science = data_science engineering = engineering infra = infra tech_heads = tech_heads reporting = reporting [urls] # anon means the access is anonymous. # authcBasic means Basic Auth Security # authc means Form based Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon /api/interpreter/** = authc, roles[engineering],roles[infra],roles[tech_heads],roles[data_science] #/** = anon /** = authc http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq DATA SCIENTIST (217) 390-3033 http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/
