I am attempting to restrict access to zeppelin based on an AD group or organizational unit. However, I am unsuccessful with my configuration.
I have an active directory implemented using Simple AD in AWS and the domain is called corp.example.com
I created three users, two groups, one organizational unit.
The groups are called Access and NoAccess The users are called AccessUser1, NoAccessUser1, AccessOrgUser1 The organizational unit is called AccessOrg
AccessUser1 is a memberOf Access NoAccessUser1 is a memberOf NoAccess AccessOrgUser1 is created under the OU AccessOrg
I am able to log in using any user with the following configuration:
### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
ldapRealm.contextFactory.url = ldap://<UrlHere>
ldapRealm.contextFactory.authenticationMechanism = simple
I am unable to log in using any user with the following configuration:
### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = ou=Users,dc=CORP,dc=EXAMPLE,dc=COM
ldapRealm.contextFactory.url = ldap://<UrlHere>
ldapRealm.userDnTemplate = uid={0},ou=Users,dc=CORP,dc=EXAMPLE,dc=COM
ldapRealm.contextFactory.authenticationMechanism = simple
You do not need to configure [users]
or [roles]
as those are for basic authentication.
You will need to configure the activedirectoryrealm
options and the ldaprealm
options. (referring to: https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html#5-groups-and-permissions-optional )
Change
uid={0},ou=Users,dc=CORP,dc=EXAMPLE,dc=COM
to
CN={0},ou=Users,dc=CORP,dc=EXAMPLE,dc=COM
You will also need to populate activeDirectoryRealm.systemUsername
and activeDirectoryRealm.systemPassword
.
This will allow you to designate groups from your AD that can login.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.