Reputation: 311
Shiro Configuration - roles and limiting searchbase
We've been trying to add the right shiro configuration to ensure that a specific AD group can only log in, and also differentiate roles. We got two working solutions, but the first let's in everyone within the active directory (but the roles work fine), the second does not let in everyone but the roles do not work.
1) This version works for the adding roles to the specific CNs but allows everyone to login.
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = aduser
activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks
activeDirectoryRealm.searchBase = OU=User Accounts,DC=domain,DC=local
activeDirectoryRealm.url = ldap://AD.domain.local:389
activeDirectoryRealm.groupRolesMap = "CN=admins,OU=User Accounts,DC=domain,DC=local":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.principalSuffix = @domain.local
securityManager.realms = $activeDirectoryRealm
2) This version limits down the login to the specified AD group, but does not associates roles with the group.
ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm
ldapADGCRealm.contextFactory.systemUsername = [email protected]
ldapADGCRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelinldap.jceks
ldapADGCRealm.searchBase = "OU=User Accounts,DC=domain,DC=local"
ldapADGCRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapADGCRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapADGCRealm.groupObjectClass = group
ldapADGCRealm.memberAttribute = memberUid
ldapADGCRealm.groupIdAttribute = cn
ldapADGCRealm.groupSearchEnableMatchingRuleInChain = true
ldapADGCRealm.rolesByGroup = users: admin
ldapADGCRealm.userSearchFilter = (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User Accounts,DC=domain,DC=local))
ldapADGCRealm.contextFactory.url = ldap://AD.domain.local:389 (edited)
Related posts:
- https://community.hortonworks.com/questions/54896/zeppelin-ad-users-not-binded-to-groups.html
- https://community.hortonworks.com/questions/82135/how-to-limit-access-to-zeppelin-webui-based-for-sp.html
Any ideas where we go wrong?
Thanks, Andras
Upvotes: 2
Views: 821
Answers (1)
Reputation: 26
Better late than never) Got role group mapping working using LdapRealm. Needed to set
ldapRealm.userSearchAttributeName = userPrincipalName
ldapRealm.memberAttribute = member
In our case userPrincipalName is the attribute in AD that contains full user name we entered ([email protected]) and member is attribute that stores member of group.
Upvotes: 1
Related Questions
- Shiro authentication for ldap with zeppelin
- How to deal with hierarchical roles/permissions using Apache Shiro?
- Zeppelin 0.8.0 ldap group and role configuration
- Apache Shiro decide what role to use after login
- How to add role authorization using Apache Shiro with LDAP Authentication
- apache shiro allowing multiple roles to Access a url not working
- Restrict users access using shiro ZeppelinHub Realm
- Configure Apache Shiro Permissions
- Shiro Active Diectory with custom roles
- how to configure shiro roles for web project