Hey Everyone, I'm new to Zeppelin as of this week. I've managed to build and stand up the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to authenticate via Shiro using Active Directory. I'm able to authenticate without issue.
I'm having a problem setting / honoring notebook specific permissions. Based on the documentation, I should be able specify a user or group for the read, write or ownership permissions ( https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html). This works as expected if I specify a username, but groups and roles do not seem to work. *Error:* Insufficient privileges to write notebook. Allowed users or roles: [admin, zeppelinWrite] But the user randerson belongs to: [randerson] It's seems clear that user randerson isn't mapped to any roles, or groups (even though he of course is a member of the zeppelinWrite group in AD and as a result also part of the local admin Role). A TCPDUMP reveals that during login, all of my group memberships are in fact returned during the ldap bind operation. However, when I attempt to modify a notebook, a call is never made to AD, to pull back my group memberships. It doesn't seem to look at my local group memberships (/etc/group) either. I'm guessing I'm misunderstanding a concept(s) and / or missing a config option(s) (although I have tried numerous combinations of everything I can find online). My Shiro.ini is listed below. Any help you can offer is appreciated. Thanks much, Rob ------------------------------------------------------- shiro.ini [users] [main] adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm adRealm.url = ldap://<server>:389 adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin" adRealm.searchBase = DC=company,DC=com adRealm.systemUsername= <username> adRealm.systemPassword= <password> adRealm.principalSuffix=<@company> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realms = $adRealm [roles] admin = * [urls] /api/version = anon /** = authcBasic
