Hi Eyal, I think using the LDAP or AD you can do the map between group and role while using the users section allowing you to assign a user with a role and in the urls section you can provide this role with specific permissions. Are you trying to allow some users to be able to trigger restart and change conf while other not? Using the users and url sections can provide you with this functionality.
[users] eyal = eyal, admin fawze= fawze, member eyal has a role called admin and fawze is a member [urls] /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] Only user with admin role can access the mentioned apis, if you would like allowing the users with member role to have an access to the apis then you need to add this in the urls. I'm not sure if this is what you are looking for .... Please monitor the queries that triggered through zeppelin and check if they are are passing user name to impala so you can monitor these queries through Cloudera manager ... On Mon, Oct 29, 2018 at 3:11 PM Eyal Hashai <eyal.has...@kenshoo.com> wrote: > > Dear Fawze, > Thanks for taking the time to reply! > Unfortunately this solution did not work.. can you explain how it assign > roles to a group? > I wouldn't mind having a manually inserted user (e.g. admin\admin) but > Zeppelin doesn't seem to start if you have both LDAP and [user] configured. > > Thank you. > > > > On Mon, Oct 29, 2018 at 12:36 PM Fawze Abujaber <fawz...@gmail.com> wrote: > >> Hi Eyal, >> >> I think this should be your seachbase: >> >> ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local" >> >> >> and you should comment >> ldapRealm.rolesByGroup = bigdata: admin >> >> On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <eyal.has...@kenshoo.com> >> wrote: >> >>> >>> Hello, >>> I've connected my Zeppelin server via LDAP for user authentication. >>> This works fine for auth, the problem is that I can't figure how roles >>> are attached to a user, I need to set "bigdata" group as admins, >>> Over the past week I have tried many different configurations and >>> searched online for a solution without success. >>> >>> Does anyone have experience with this? >>> Any information or link would be highly appreciated! >>> >>> Thank you >>> >>> *shiro.ini:* >>> >>> ### A sample for configuring LDAP Directory Realm >>> ldapRealm = org.apache.zeppelin.realm.LdapRealm >>> ldapRealm.contextFactory.url = ldap://1.2.3.4:389 >>> ldapRealm.userDnTemplate = {0}@kenshooprd.local >>> ldapRealm.contextFactory.authenticationMechanism = simple >>> ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local" >>> ldapRealm.contextFactory.systemPassword = XXXXXXX >>> ldapRealm.authorizationEnabled = true >>> ldapRealm.rolesByGroup = >>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin" >>> ldapRealm.rolesByGroup = bigdata: admin >>> ldapRealm.groupSearchBase = >>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin" >>> securityManager.realms = $ldapRealm >>> ldapRealm.groupSearchEnableMatchingRuleInChain = true >>> >>> >>> *Logs:* >>> >>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} >>> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 - >>> /api/login] >>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} >>> ThreadContext.java[get]:133) - Retrieved value of type >>> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key >>> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] >>> bound to thread [qtp1418428263-15 - /api/login] >>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} >>> DelegatingSubject.java[getSession]:317) - attempting to get session; create >>> = false; session is null = false; session has id = true >>> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login} >>> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to >>> retrieve session with key >>> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425 >>> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login} >>> LoginRestApi.java[postLogin]:206) - >>> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817", >>> "roles":"[]"}} >>> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login} >>> HttpConnection.java[process]:657) - >>> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1 >>> 200 OK,118,false},cb=org.eclipse.jetty >>> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER >>> (null,[p=0,l=118,c=8192,r=118],true)@START >>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} >>> Parser.java[parse]:257) - SERVER Parsed Frame: >>> TEXT[len=109,fin=true,rsv=...,masked=true] >>> >>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} >>> Parser.java[notifyFrame]:186) - SERVER Notify >>> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection] >>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} >>> AbstractEventDriver.java[incomingFrame]:103) - >>> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true]) >>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} >>> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS, >>> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET << >>> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE >>> DATA << null >>> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12} >>> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null, >>> op=LIST_CONFIGURATIONS} >>> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12} >>> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with >>> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op": >>> "CONFIG... "roles": ""\n}>>>} >>> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12} >>> ExtensionStack.java[outgoingFrame]:288) - Queuing >>> TEXT[len=6199,fin=true,rsv=...,masked=false] >>> >>> >>> *LDAP settings for user:* >>> >>> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D >>> ldap@kenshooprd.local -w xxxxx -b >>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local" >>> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local >>> objectClass: top >>> objectClass: group >>> cn: bigdata >>> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local >>> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local >>> instanceType: 4 >>> whenCreated: 20161129171457.0Z >>> whenChanged: 20181004121722.0Z >>> uSNCreated: 93111898 >>> uSNChanged: 276782631 >>> name: bigdata >>> objectGUID:: bBMye2mox0+hDkddqds1+g== >>> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA== >>> sAMAccountName: bigdata >>> sAMAccountType: 268435456 >>> groupType: -2147483646 >>> objectCategory: >>> CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local >>> dSCorePropagationData: 20170723142935.0Z >>> dSCorePropagationData: 20170723142620.0Z >>> dSCorePropagationData: 16010101000417.0Z >>> >>> >>> >>> -- >>> >>> >>> *[ Eyal Hashai ]* >>> Database Administrator - Big Data Team // *Kenshoo* >>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473* >>> <eyal.has...@kenshoo.com>* >>> *eyal.has...@kenshoo.com <eyal.has...@kenshoo.com>* >>> <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>* >>> _______________________________________ >>> *www.Kenshoo.com* <http://kenshoo.com/> >>> >>> * <eyal.has...@kenshoo.com>* >>> <http://kenshoo.com/> >>> >>> This e-mail, as well as any attached document, may contain material >>> which is confidential and privileged and may include trademark, copyright >>> and other intellectual property rights that are proprietary to Kenshoo Ltd, >>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its >>> attachments may be read, copied and used only by the addressee for the >>> purpose(s) for which it was disclosed herein. If you have received it in >>> error, please destroy the message and any attachment, and contact us >>> immediately. If you are not the intended recipient, be aware that any >>> review, reliance, disclosure, copying, distribution or use of the contents >>> of this message without Kenshoo's express permission is strictly prohibited. >> >> >> >> -- >> Take Care >> Fawze Abujaber >> > > > -- > > > *[ Eyal Hashai ]* > Database Administrator - Big Data Team // *Kenshoo* > *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473* > <eyal.has...@kenshoo.com>* > *eyal.has...@kenshoo.com <eyal.has...@kenshoo.com>* > <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>* > _______________________________________ > *www.Kenshoo.com* <http://kenshoo.com/> > > * <eyal.has...@kenshoo.com>* > <http://kenshoo.com/> > > This e-mail, as well as any attached document, may contain material which > is confidential and privileged and may include trademark, copyright and > other intellectual property rights that are proprietary to Kenshoo Ltd, > its subsidiaries or affiliates ("Kenshoo"). This e-mail and its > attachments may be read, copied and used only by the addressee for the > purpose(s) for which it was disclosed herein. If you have received it in > error, please destroy the message and any attachment, and contact us > immediately. If you are not the intended recipient, be aware that any > review, reliance, disclosure, copying, distribution or use of the contents > of this message without Kenshoo's express permission is strictly prohibited. -- Take Care Fawze Abujaber
