[GitHub] zeppelin issue #986: [Zeppelin 946] Permissions not honoring group

Mon, 13 Jun 2016 22:31:31 -0700 

Github user prabhjyotsingh commented on the issue:

    https://github.com/apache/zeppelin/pull/986
  
    Hi @rja1,
    
    I see two issues in your request;
    
    
    
    1. Your AD require you to pass @domainName; I understand in some of the 
cases, depending on how you have configured AD, it requires you to pass 
"@domainName". And in your case this seem to be the issue, and hence when you 
pass  randerson with @company.com, it works.
    2. Roles are not being assigned to the user; for this, here is what I 
recommend
      * make sure you have something like this configured in you shiro.ini 
`activeDirectoryRealm.groupRolesMap = 
"CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"`
      * and corresponding to each group you have a roles entry in shiro.ini
    
      ```
    [roles]
    admin = *
    hr = *
    finance = *
    group1 = *
    ```
    
    
    For your reference here is my shiro.ini, and on this configured AD server 
both `zeppelin` and `[email protected]` user work fine. Let me know if 
this resolves the issue.
    
        [main]
        activeDirectoryRealm = 
org.apache.zeppelin.server.ActiveDirectoryGroupRealm
        activeDirectoryRealm.principalSuffix = @SUB.MYDOMAIN.COM
        activeDirectoryRealm.systemUsername = manager
        activeDirectoryRealm.systemPassword = TestUser123
        activeDirectoryRealm.searchBase = CN=Users,DC=SUB,DC=MYDOMAIN,DC=COM
        activeDirectoryRealm.url = ldap://mydomain.com:389
        activeDirectoryRealm.groupRolesMap = 
"CN=admin,OU=groups,DC=SUB,DC=MYDOMAIN,DC=COM":"admin"
        activeDirectoryRealm.authorizationCachingEnabled = false
        
        sessionManager = 
org.apache.shiro.web.session.mgt.DefaultWebSessionManager
        securityManager.sessionManager = $sessionManager
        securityManager.sessionManager.globalSessionTimeout = 86400000
        shiro.loginUrl = /api/login
        
        [roles]
        admin = *
        
        [urls]
        /api/version = anon
        /** = authc
        


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---

Reply via email to