Done, thanks. https://issues.apache.org/jira/browse/ZEPPELIN-946
On Wed, Jun 1, 2016 at 1:06 PM, Vinay Shukla <vinayshu...@gmail.com> wrote: > Rob, > > It appears to be bug, can you please file a JIRA to track this? > > Thanks, > Vinay > > On Fri, May 27, 2016 at 7:52 AM, Rob Anderson <rockclimbings...@gmail.com> > wrote: > >> Hey Everyone, >> >> I'm new to Zeppelin as of this week. I've managed to build and stand up >> the *0.6.0-incubating-SNAPSHOT. *I've configured Zeppelin to >> authenticate via Shiro using Active Directory. I'm able >> to authenticate without issue. >> >> I'm having a problem setting / honoring notebook specific permissions. >> Based on the documentation, I should be able specify a user or group for >> the read, write or ownership permissions ( >> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html). >> This works as expected if I specify a username, but groups and roles do not >> seem to work. >> >> *Error:* >> Insufficient privileges to write notebook. >> Allowed users or roles: [admin, zeppelinWrite] >> But the user randerson belongs to: [randerson] >> >> It's seems clear that user randerson isn't mapped to any roles, or groups >> (even though he of course is a member of the zeppelinWrite group in AD >> and as a result also part of the local admin Role). A TCPDUMP reveals >> that during login, all of my group memberships are in fact returned during >> the ldap bind operation. However, when I attempt to modify a notebook, a >> call is never made to AD, to pull back my group memberships. It doesn't >> seem to look at my local group memberships (/etc/group) either. >> >> I'm guessing I'm misunderstanding a concept(s) and / or missing a config >> option(s) (although I have tried numerous combinations of everything I can >> find online). My Shiro.ini is listed below. Any help you can offer is >> appreciated. >> >> Thanks much, >> >> Rob >> ------------------------------------------------------- >> shiro.ini >> >> [users] >> >> [main] >> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm >> adRealm.url = ldap://<server>:389 >> adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix >> groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin" >> adRealm.searchBase = DC=company,DC=com >> adRealm.systemUsername= <username> >> adRealm.systemPassword= <password> >> adRealm.principalSuffix=<@company> >> >> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager >> securityManager.sessionManager = $sessionManager >> securityManager.sessionManager.globalSessionTimeout = 86400000 >> shiro.loginUrl = /api/login >> securityManager.realms = $adRealm >> [roles] >> admin = * >> [urls] >> /api/version = anon >> /** = authcBasic >> >> >
