ZEPPELIN-1817 - Added documentation to Zeppelin's shiro.ini to provide help users configure security #1767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

vinayshukla wants to merge 3 commits into apache:master from vinayshukla:zeppelin-1817

conf/shiro.ini.template

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,39 @@ @@
     # See the License for the specific language governing permissions and
     # limitations under the License.
     #
+    # Zeppelin uses Shiro to configure Security.
+    # The security configuration is controlled by shiro.ini. Zeppelin inclues
+    # a shiro.ini.template file in the conf folder. To enable security, start by making a copy of
+    # this file.
+    # cp conf/shiro.ini.template conf/shiro.ini
+    # The first step of security is Authentication.
+    # To enable authentication, you need to configure authc as the authentication method in
+    # the URL section of shiro.ini. Make sure the shiro.ini has "/** = authc" line uncommented
+    # in the URL section. To disable anonymous access to Zeppelin ensure "/** = anon" is
+    # commented out. Once authentication is enabled, the next step of security is to configure
+    # the source of users. To test Zeppelin authentication, you can use [users] section to
+    # define users who can log in to Zeppelin.
+    # So far Zeppelin only supports LDAP bind method to authenticate end users. It does not
+    # yet support LDAP Compare to authenticate end users.
+    # To leverage ActiveDirectory as source of users to Zeppelin, enable activeDirectoryRealm
+    # in [main] section. To user any other LDAP including OpenLdap, user ldapRealm in the
+    # [main] section.
+    # Once authentication is configured, you may want to limit who can configure Zeppelin
+    # interpreters. To put access control on Zeppelin interpreters and credential UI,
+    # uncomment the following lines in [urls] section
+    # "/api/interpreter/** = authc, roles[admin]
+    # /api/configurations/** = authc, roles[admin]
+    # /api/credential/** = authc, roles[admin]"
+    # The above configuration will limit the ability to configure interpreters, configurations
+    # and credentials UI to "admin" role. Now the next step is to define who is in "admin"
+    # role. To map "admin" role to certain groups in Active Directory or LDAP user
+    # activeDirectoryRealm.groupRolesMap or ldapRealm.groupRolesMap property and define the
+    # distinguished names of LDAP groups. This gives only defined LDAP groups the ability to
+    # configure interpreters, configurations and credential UI features.
+    # The next step of security could be to put access control on Zeppelin Notes. To enable
+    # note level access control, you first need to define activeDirectoryRealm.searchBase or
+    # ldapRealm.searchBase. The value of this property controls where in LDAP Zeppelin will look
+    # for users and groups.
     [users]
     # List of users with their password allowed to access Zeppelin.
@@ Expand Down @@

docs/security/shiroauthentication.md

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -24,9 +24,43 @@ limitations under the License.
  
    <div id="toc"></div>

    ## Overview

    [Apache Shiro](http://shiro.apache.org/) is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. In this documentation, we will explain step by step how Shiro works for Zeppelin notebook authentication.

    [Apache Shiro](http://shiro.apache.org/) is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Zeppelin uses Apache Shiro to provide authentication and authorization (AKA access control). This documentation provides detailed steps to configure Shiro to enable authentication to Zeppelin notebook.

    When you connect to Apache Zeppelin, you will be asked to enter your credentials. Once you logged in, then you have access to all notes including other user's notes.

    The first step of security is Authentication. After authentication is enabled, upon connection to Apache Zeppelin, it prompts for credentials. 

    To enable authentication, you need to configure authc as the authentication method in 

    the URL section of shiro.ini. Ensure that shiro.ini has "/** = authc" line is uncommented

    in the URL section. To disable anonymous access to Zeppelin ensure "/** = anon" is 

    commented out. Once authentication is enabled, the next step of security is to configure

    the source of users. To test Zeppelin authentication, you can use [users] section to 

    define test users who can log in to Zeppelin. 

    Zeppelin also supports LDAP or Active Directory as source of users who can authenticate to 

    Zeppelin. So far Zeppelin only supports LDAP bind method to authenticate end users. It does not 

    yet support LDAP Compare to authenticate end users.

    To leverage ActiveDirectory as source of users to Zeppelin, enable activeDirectoryRealm

    in [main] section. To use any other LDAP including OpenLdap, use ldapRealm in the 

    [main] section.

    Once authentication is configured, you may want to limit who can configure Zeppelin 

    interpreters. To put access control on Zeppelin interpreters and credential UI, 

    uncomment the following lines in [urls] section 

    ```

    /api/interpreter/** = authc, roles[admin]

    /api/configurations/** = authc, roles[admin]

    /api/credential/** = authc, roles[admin]

    ```

    The above configuration will limit the ability to configure interpreters, configurations

    and credentials UI to "admin" role. Now the next step is to define who is in "admin" 

    role. To map "admin" role to certain groups in Active Directory or LDAP user 

    activeDirectoryRealm.groupRolesMap or ldapRealm.groupRolesMap property and define the 

    distinguished names of LDAP groups. This gives only defined LDAP groups the ability to 

    configure interpreters, configurations and credential UI features.

    The next step of security could be to put access control on Zeppelin Notes. To enable

    note level access control, you first need to define activeDirectoryRealm.searchBase or 

    ldapRealm.searchBase. The value of this property controls where in LDAP Zeppelin will look

    for users and groups.

    ## Security Setup

    You can setup **Zeppelin notebook authentication** in some simple steps.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ZEPPELIN-1817 - Added documentation to Zeppelin's shiro.ini to provide help users configure security #1767

Uh oh!

Diff view

Diff view

There are no files selected for viewing