just saw this one, appear to be a know bug [ZEPPELIN-2640] Roles are not getting honored from shiro_ini for setting permissions in Zeppelin notebook - ASF JIRA
| | | | [ZEPPELIN-2640] Roles are not getting honored from shiro_ini for setting... | | | On Wednesday, July 26, 2017, 11:13:39 AM PDT, Richard Xin <richardxin...@yahoo.com> wrote: I am facing some hurdle with activeDirectoryRealm.groupRolesMapthe following is the content of my shiro.ini...activeDirectoryRealm.groupRolesMap = "CN=Zeppelin-Admin,OU=Zeppelin,OU=Applications,OU=Groups,DC=directory,DC=[domain_here],DC=com":"admin","CN=ZeppelinZepZeppelinpelin-Devs,OU=Zepplin,OU=Applications,OU=Groups,DC=directory,DC=[domain_here],DC=com":"developer","CN=Zeppelin-Analyst,OU=Zeppelin,OU=Applications,OU=Groups,DC=directory,DC=DC=[domain_here],DC=com":"datascientist" activeDirectoryRealm.authorizationCachingEnabled = falseactiveDirectoryRealm.principalSuffix = @directory.mydomain.com... [roles] admin = * datascientist = *developer = * [urls]uncomment the below urls that you want to hide./api/version = anon /api/interpreter/** = authc, roles[admin]/** = authc My AD account is member of "CN=Zeppelin-Admin,OU=Zeppelin,OU=Applications,OU=Groups,DC=directory,DC=[domain_here],DC=com", but when I login, I saw followings in the log: WARN [2017-07-26 00:14:10,981] ( {qtp1287712235-15} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"richard.xin","ticket":"b681cbbb-8a10-40c8-9ba8-c46ee59efd42","roles":"[]"}} please note roles node is empty, I was expecting "admin" in the role list, does anyone have similar issue? is my config activeDirectoryRealm.groupRolesMap correct? Thanks,Richard Xin