#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
{% if not cdh_zeppelin_ldap_enabled %}
admin = {{ cdh_zeppelin_admin_password | default('admin') }}, admin
{% endif %}
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
{% if cdh_zeppelin_ldap_enabled %}
{% if cdh_zeppelin_ldap_advanced_config %}
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = {{ cdh_zeppelin_ldap_url }}
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.systemUsername = {{ cdh_zeppelin_ldap_bind_u }}
ldapRealm.contextFactory.systemPassword = {{ cdh_zeppelin_ldap_bind_pwd }}
ldapRealm.authorizationEnabled = true
#ldapRealm.userDnTemplate = {{ cdh_zeppelin_username_pattern }}
# Ability to set ldap paging Size if needed default is 100
#ldapRealm.pagingSize = 200
#ldapRealm.searchBase = {{ cdh_zeppelin_ldap_search_base }}
ldapRealm.userSearchBase = {{ cdh_zeppelin_ldap_users_base }}
ldapRealm.userObjectClass = {{ cdh_zeppelin_user_objectclass }}
ldapRealm.groupSearchBase = {{ cdh_zeppelin_ldap_group_base }}
ldapRealm.groupObjectClass = {{ cdh_zeppelin_ldap_group_obj_class }}
ldapRealm.groupSearchFilter = '{{ cdh_zeppelin_group_search_filter }}'
# Allow userSearchAttribute to be customized
ldapRealm.userSearchAttributeName = {{ cdh_zeppelin_ldap_user_attr }}
ldapRealm.memberAttribute = {{ cdh_zeppelin_ldap_member_attr }}
# force usernames returned from ldap to lowercase useful for AD
#ldapRealm.userLowerCase = true
#ldapRealm.memberAttributeValueTemplate = {{cdh_zeppelin_group_template}}
# enable support for nested groups using the LDAPMATCHINGRULEINCHAIN operator
#ldapRealm.groupSearchEnableMatchingRuleInChain = {{ cdh_zeppelin_ldap_nested_groups }}
# optional mapping from physical groups to logical application roles
ldapRealm.rolesByGroup = {{ cdh_zeppelin_ldap_roles_by_group }}
# optional list of roles that are allowed to authenticate. In case not present all groups are allowed to authenticate (login).
# This changes nothing for url specific permissions that will continue to work as specified in [urls].
#ldapRealm.allowedRolesForAuthentication = adminrole,userrole
#ldapRealm.permissionsByRole = userrole = *:ToDoItem::*, adminrole = *
{% else %}
### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = {{ cdh_zeppelin_ldap_search_base }}
ldapRealm.contextFactory.url = {{ cdh_zeppelin_ldap_url }}
ldapRealm.userDnTemplate = {{ cdh_zeppelin_username_pattern }}
ldapRealm.contextFactory.authenticationMechanism = simple
{% endif %}
securityManager.realms = $ldapRealm
{% endif %}

### A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd

### A sample for configuring ZeppelinHub Realm
#zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
## Url of ZeppelinHub
#zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
#securityManager.realms = $zeppelinHubRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

### Enables 'HttpOnly' flag in Zeppelin cookies
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true
### Uncomment the below line only when Zeppelin is running over HTTPS
cookie.secure = true
sessionManager.sessionIdCookie = $cookie

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = *
user = *

[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
{% if not cdh_zeppelin_secure_urls %}
/** = anon
{% else %}
{% if cdh_zeppelin_ldap_advanced_config %}
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = {{ cdh_zeppelin_secure_roles }}
/api/configurations/** = {{ cdh_zeppelin_secure_roles }}
/api/credential/** = {{ cdh_zeppelin_secure_roles }}
/** = authc
{% else %}
/** = authc
{% endif %}
{% endif %}