mirror of
https://github.com/apache/zeppelin
synced 2026-05-24 09:38:26 +00:00
### What is this PR for? Error: Insufficient privileges to write notebook. Allowed users or roles: [admin, zeppelinWrite] But the user randerson belongs to: [randerson] It's seems clear that user randerson isn't mapped to any roles, or groups (even though he of course is a member of the zeppelinWrite group in AD and as a result also part of the local admin Role). A TCPDUMP reveals that during login, all of my group memberships are in fact returned during the ldap bind operation. However, when I attempt to modify a notebook, a call is never made to AD, to pull back my group memberships. It doesn't seem to look at my local group memberships (/etc/group) either. ### What type of PR is it? [Bug Fix] ### Todos * [x] - fix for permissions not honoring group * [x] - read roles from shiro.ini * [x] - at times group name was displaying instead of user/principal name. * [x] - doc ### What is the Jira issue? [ZEPPELIN-946](https://issues.apache.org/jira/browse/ZEPPELIN-946) ### Screenshots/How should this be tested? Use one of the following setting for IniRealm, LDAP or AD in shiro.ini [main] admin = password1, admin finance1 = finance1, finance finance2 = finance2, finance hr1 = hr1, hr hr2 = hr2, hr activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = userNameA activeDirectoryRealm.systemPassword = passwordA activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM activeDirectoryRealm.url = ldap://ldap.test.com:389 activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" activeDirectoryRealm.authorizationCachingEnabled = false ldapRealm = org.apache.zeppelin.server.LdapGroupRealm # search base for ldap groups (only relevant for LdapGroupRealm): ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM ldapRealm.contextFactory.url = ldap://ldap.test.com:389 ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM ldapRealm.contextFactory.authenticationMechanism = SIMPLE [roles] admin = * hr = * finance = * group1 = * [urls] /api/version = anon /** = authc Login as user1 (say finance1), and set a permission of a notebook as "finance" <img width="1282" alt="screen shot 2016-06-11 at 9 50 32 am" src="https://cloud.githubusercontent.com/assets/674497/15983178/aad710ee-2fbc-11e6-861d-508ecc8c7b74.png"> Save setting <img width="1281" alt="screen shot 2016-06-11 at 9 51 05 am" src="https://cloud.githubusercontent.com/assets/674497/15983180/aad86ea8-2fbc-11e6-8b68-4571496ec733.png"> Now logout and login as user2 (say finance2) which belong to the same group as above "finance", verify that you have access to the same notebook. <img width="1282" alt="screen shot 2016-06-11 at 9 51 25 am" src="https://cloud.githubusercontent.com/assets/674497/15983181/aad9a78c-2fbc-11e6-8a41-a3dc108cabdc.png"> Logout and login again, this time as a user that does not belong to the group "finance", a user say hr1. Verify that this user does not have permission to view the same notebook. <img width="1281" alt="screen shot 2016-06-11 at 9 51 42 am" src="https://cloud.githubusercontent.com/assets/674497/15983179/aad7794e-2fbc-11e6-9002-f7b0fc54ac59.png"> ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? no Author: Prabhjyot Singh <prabhjyotsingh@gmail.com> Closes #986 from prabhjyotsingh/ZEPPELIN-946 and squashes the following commits: |
||
|---|---|---|
| .. | ||
| authentication.md | ||
| interpreter_authorization.md | ||
| notebook_authorization.md | ||
| shiroauthentication.md | ||