Thanks for sharing the problem. Currently, interpreter permission does not support group/role but only users, not like notebook permission support all group/role/user.
Could you help creating an issue for it? Regards, moon On Sat, Apr 15, 2017 at 5:07 AM Paul Brenner <pbren...@placeiq.com> wrote: > I’m trying to limit one group of users to only be able to use a single > interpreter on 0.7.1. Is this possible right now? I managed to get AD > authentication working and I can setup roles and was able to limit the > group so that users can’t access the interpreter page. But I can’t figure > out how to set the interpreter permissions based on groups. In the > interpreter permissions I only get auto suggestion of user names. So, a few > questions: > > > 1. Has https://github.com/apache/zeppelin/pull/1236 > > <https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJPUjgXlegdjnhjhbc41tFsovGqMLGoSQtpyjkWwj0izJw4jI0o1fo-pi2ppzaGap38gMIk=> > / https://issues.apache.org/jira/browse/ZEPPELIN-1237 > > <https://share.polymail.io/v1/z/b/NThmMTI5Nzg2MDAx/q9wQSTXAhps3LWKtP0J9dK77wokFjk6B-H8wicMiChHZiiZWiSk7aZiPMPylsLF_0iRfgooWfsN4RmMAHKRpuxhPzBatkCM4f5RQD3-CHGv7-I6I8aSYivIR3kZrUKCJUzDsutPBBtuuFLscxJ3OiRj1awdhgRStZNt6uEEqvHqALntYTMFz1kagzH7ZRmxVWYrwgcCnUmAI4m8uQhBDr_UdwFk9DX5c> > actually > been implemented? It says it is for notebook permissions but when I try to > set notebook permissions I don’t see roles there either > 2. Is pull 1236 only for notebook permissions? Is it possible that > roles based permissions just aren’t implemented for interpreters yet? > 3. What is the autosuggest even based on? If I try to start typing my > first name “Paul” it finds no hits. No hits with my user name “pbrenner” > either. But if I type my last name “Brenner” then autosuggest finds me. > 4. What should be in the [roles] section in shiro.ini? I currently > have group name = group name. Should it be group name =*? What does that > even mean? Maybe group name = something else? See below to see what I have > now which may be wrong. > > > Here is my shiro.ini which I did a lot of guessing to get working. Maybe > there is an issue in there? Can anyone point me to anything at all that > might be helpful? > > [main] > ### A sample for configuring Active Directory Realm > #activeDirectoryRealm = > org.apache.zeppelin.server.ActiveDirectoryGroupRealm > activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm > activeDirectoryRealm.systemUsername = ******* > activeDirectoryRealm.systemPassword = ******** > #activeDirectoryRealm.searchBase = > CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net > activeDirectoryRealm.searchBase = > OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net > #activeDirectoryRealm.url = ldaps://corp.placeiq.net:636 > #activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636 > activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net > activeDirectoryRealm.groupRolesMap = "CN=Security Data Science > Department,OU=Department Security Groups,OU=Security > Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security > Development Department,OU=Department Security Groups,OU=Security > Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security > Infrastructure Department,OU=Department Security Groups,OU=Security > Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research > & Development Department,OU=Department Security Groups,OU=Security > Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security > Reporting & Analytics Department,OU=Department Security Groups,OU=Security > Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security > Product Department,OU=Department Security Groups,OU=Security > Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data > Operations Department,OU=Department Security Groups,OU=Security > Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops" > activeDirectoryRealm.authorizationCachingEnabled = true > > > ### A sample for configuring LDAP Directory Realm > #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm > ## search base for ldap groups (only relevant for LdapGroupRealm): > #ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM > #ldapRealm.contextFactory.url = ldap://ldap.test.com:389 > #ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM > #ldapRealm.contextFactory.authenticationMechanism = SIMPLE > > #ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm > #ldapRealm = org.apache.zeppelin.server.LdapGroupRealm > # search base for ldap groups (only relevant for LdapGroupRealm): > #ldapRealm.contextFactory.environment[ldap.searchBase] = > cn=users,cn=accounts,dc=placeiq,dc=net > #ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389 > #ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net > #ldapRealm.contextFactory.authenticationMechanism = SIMPLE > #ldapRealm.groupNameAttribute = cn > #ldapRealm.groupRolesMap = engineering:admin, datascience: > > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > ### If caching of user is required then uncomment below lines > #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > #securityManager.cacheManager = $cacheManager > > securityManager.sessionManager = $sessionManager > # 86,400,000 milliseconds = 24 hour > securityManager.sessionManager.globalSessionTimeout = 86400000 > shiro.loginUrl = /api/login > > securityManager.realm = $activeDirectoryRealm > > [roles] > data_science = data_science > engineering = engineering > infra = infra > tech_heads = tech_heads > reporting = reporting > > [urls] > # anon means the access is anonymous. > # authcBasic means Basic Auth Security > # authc means Form based Auth Security > # To enfore security, comment the line below and uncomment the next one > /api/version = anon > /api/interpreter/** = authc, > roles[engineering],roles[infra],roles[tech_heads],roles[data_science] > #/** = anon > /** = authc > > <http://www.placeiq.com/> <http://www.placeiq.com/> > <http://www.placeiq.com/> Paul Brenner <https://twitter.com/placeiq> > <https://twitter.com/placeiq> <https://twitter.com/placeiq> > <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> > <https://www.linkedin.com/company/placeiq> > <https://www.linkedin.com/company/placeiq> > DATA SCIENTIST > *(217) 390-3033 * > > <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> > <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/> > <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/>[image: > PlaceIQ:Location Data Accuracy] > <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/> >
