Hi, We've been trying to add the right shiro configuration to ensure that a specific AD group can only log in, and also differentiate roles. We got two working solutions, but the first let's in everyone within the active directory (but the roles work fine), the second does not let in everyone but the roles do not work.
1) This version works for the adding roles to the specific CNs but allows everyone to login. activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = aduser activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks activeDirectoryRealm.searchBase = OU=User Accounts,DC=domain,DC=local activeDirectoryRealm.url = ldap://AD.domain.local:389 activeDirectoryRealm.groupRolesMap = "CN=admins,OU=User Accounts,DC=domain,DC=local":"admin" activeDirectoryRealm.authorizationCachingEnabled = false activeDirectoryRealm.principalSuffix = @domain.local securityManager.realms = $activeDirectoryRealm 2) This version limits down the login to the specified AD group, but does not associates roles with the group. ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm ldapADGCRealm.contextFactory.systemUsername = aduser@domain.local ldapADGCRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelinldap.jceks ldapADGCRealm.searchBase = "OU=User Accounts,DC=domain,DC=local" ldapADGCRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local" ldapADGCRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local" ldapADGCRealm.groupObjectClass = group ldapADGCRealm.memberAttribute = memberUid ldapADGCRealm.groupIdAttribute = cn ldapADGCRealm.groupSearchEnableMatchingRuleInChain = true ldapADGCRealm.rolesByGroup = users: admin ldapADGCRealm.userSearchFilter = (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User Accounts,DC=domain,DC=local)) ldapADGCRealm.contextFactory.url = ldap://AD.domain.local:389 (edited) Related posts: https://community.hortonworks.com/questions/54896/zeppelin-ad-users-not-binded-to-groups.html https://community.hortonworks.com/questions/82135/how-to-limit-access-to-zeppelin-webui-based-for-sp.html Any ideas where we go wrong? Thanks, Andras
