Hmmm I thought we were able to get ours working like that. Here is how we defined roles:
activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops" activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @corp.placeiq.net sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realm = $activeDirectoryRealm [roles] data_science = data_science engineering = engineering infra = infra tech_heads = tech_heads reporting = reporting product = product http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq DATA SCIENTIST (217) 390-3033 http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/ On Wed, Jun 28, 2017 at 4:05 PM goutham koneru < mailto:goutham koneru <goutha...@gmail.com> > wrote: a, pre, code, a:link, body { word-wrap: break-word !important; } Paul, I tried it this way and it did not work. I tried with and with out authc. [roles] adhdpadm = * [urls] /api/version = anon /** = authc /api/interpreter/** = authc,roles[adhdpadm] /api/credential/** = authc,roles[adhdpadm] Thanks, Goutham. On Wed, Jun 28, 2017 at 3:26 PM, goutham koneru < mailto:goutha...@gmail.com > wrote: Thanks Paul. Can you also share how you defined the roles like infra? --Goutham. On Wed, Jun 28, 2017 at 3:20 PM, Paul Brenner < mailto:pbren...@placeiq.com > wrote: What happens if you remove authc after /api/interpreter/** ? Our shiro.ini just has: /api/interpreter/** = roles[engineering],roles[infra ],roles[tech_heads],roles[ data_science] http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq DATA SCIENTIST tel:(217)%20390-3033 http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-insight-innovation-for-ansible-gstv-havas-media-the-media-kitchen-and-more/ On Wed, Jun 28, 2017 at 3:11 PM goutham koneru < mailto:goutham+koneru+%3cgoutha...@gmail.com%3E > wrote: Hi, I've enabled AD authentication by updating shiro.ini - this is just to login to Zeppelin. I am using HDP 2.6.1 and Zeppelin 0.7.0. ldapADGCRealm.userSearchFilter =(&(objectclass=user)(sAMAccou ntName={0})(|(memberOf=cn= adhdpadm,ou=Groups,ou= Corporate,dc=abccompany,dc= com)(memberOf=cn=adhdpdev,ou= Groups,ou=Corporate,dc= abccompany,dc=com))) Now people belong to these groups are able to login. but all of them have access to edit any interpreters. People who belong to adhdpdev group should not be able to modify any settings. I have tried with individual users by specifying in shiro.ini and it worked. But how can I do that with groups? Is it possible? /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon /** = authc Thanks, Goutham.
