Restricting interpreters to users in certain groups

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Restricting interpreters to users in certain groups

Paul Brenner
I’m trying to limit one group of users to only be able to use a single interpreter on 0.7.1. Is this possible right now? I managed to get AD authentication working and I can setup roles and was able to limit the group so that users can’t access the interpreter page. But I can’t figure out how to set the interpreter permissions based on groups. In the interpreter permissions I only get auto suggestion of user names. So, a few questions:

  1. Has https://github.com/apache/zeppelin/pull/1236 / https://issues.apache.org/jira/browse/ZEPPELIN-1237 actually been implemented? It says it is for notebook permissions but when I try to set notebook permissions I don’t see roles there either
  2. Is pull 1236 only for notebook permissions? Is it possible that roles based permissions just aren’t implemented for interpreters yet?
  3. What is the autosuggest even based on? If I try to start typing my first name “Paul” it finds no hits. No hits with my user name “pbrenner” either. But if I type my last name “Brenner” then autosuggest finds me.
  4. What should be in the [roles] section in shiro.ini? I currently have group name = group name. Should it be group name =*? What does that even mean? Maybe group name = something else? See below to see what I have now which may be wrong.

Here is my shiro.ini which I did a lot of guessing to get working. Maybe there is an issue in there? Can anyone point me to anything at all that might be helpful?

[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = *******
activeDirectoryRealm.systemPassword = ********
#activeDirectoryRealm.searchBase = CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
#activeDirectoryRealm.url = ldaps://corp.placeiq.net:636
#activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636
activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net
activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops"
activeDirectoryRealm.authorizationCachingEnabled = true


### A sample for configuring LDAP Directory Realm
#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE

#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
# search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = cn=users,cn=accounts,dc=placeiq,dc=net
#ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389
#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#ldapRealm.groupNameAttribute = cn
#ldapRealm.groupRolesMap = engineering:admin, datascience:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

securityManager.realm = $activeDirectoryRealm

[roles]
data_science = data_science
engineering = engineering
infra = infra
tech_heads = tech_heads
reporting = reporting

[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/interpreter/** = authc, roles[engineering],roles[infra],roles[tech_heads],roles[data_science]
#/** = anon
/** = authc

Paul Brenner
DATA SCIENTIST
(217) 390-3033  

PlaceIQ:Location Data Accuracy
Reply | Threaded
Open this post in threaded view
|

Re: Restricting interpreters to users in certain groups

moon
Administrator
Thanks for sharing the problem.

Currently, interpreter permission does not support group/role but only users, not like notebook permission support all group/role/user.

Could you help creating an issue for it?

Regards,
moon

On Sat, Apr 15, 2017 at 5:07 AM Paul Brenner <[hidden email]> wrote:
I’m trying to limit one group of users to only be able to use a single interpreter on 0.7.1. Is this possible right now? I managed to get AD authentication working and I can setup roles and was able to limit the group so that users can’t access the interpreter page. But I can’t figure out how to set the interpreter permissions based on groups. In the interpreter permissions I only get auto suggestion of user names. So, a few questions:

  1. Has https://github.com/apache/zeppelin/pull/1236 / https://issues.apache.org/jira/browse/ZEPPELIN-1237 actually been implemented? It says it is for notebook permissions but when I try to set notebook permissions I don’t see roles there either
  2. Is pull 1236 only for notebook permissions? Is it possible that roles based permissions just aren’t implemented for interpreters yet?
  3. What is the autosuggest even based on? If I try to start typing my first name “Paul” it finds no hits. No hits with my user name “pbrenner” either. But if I type my last name “Brenner” then autosuggest finds me.
  4. What should be in the [roles] section in shiro.ini? I currently have group name = group name. Should it be group name =*? What does that even mean? Maybe group name = something else? See below to see what I have now which may be wrong.

Here is my shiro.ini which I did a lot of guessing to get working. Maybe there is an issue in there? Can anyone point me to anything at all that might be helpful?

[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = *******
activeDirectoryRealm.systemPassword = ********
#activeDirectoryRealm.searchBase = CN=Users,OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net
#activeDirectoryRealm.url = ldaps://corp.placeiq.net:636
#activeDirectoryRealm.url = ldaps://piq-corp-100.corp.placeiq.net:636
activeDirectoryRealm.url = ldap://piq-corp-100.corp.placeiq.net
activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops"
activeDirectoryRealm.authorizationCachingEnabled = true


### A sample for configuring LDAP Directory Realm
#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE

#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
# search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = cn=users,cn=accounts,dc=placeiq,dc=net
#ldapRealm.contextFactory.url = ldap://ldap.placeiq.net:389
#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=placeiq,dc=net
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#ldapRealm.groupNameAttribute = cn
#ldapRealm.groupRolesMap = engineering:admin, datascience:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

securityManager.realm = $activeDirectoryRealm

[roles]
data_science = data_science
engineering = engineering
infra = infra
tech_heads = tech_heads
reporting = reporting

[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/interpreter/** = authc, roles[engineering],roles[infra],roles[tech_heads],roles[data_science]
#/** = anon
/** = authc

Paul Brenner
DATA SCIENTIST
(217) 390-3033  

PlaceIQ:Location Data Accuracy