ansible-roles/hadoop/CDH/templates/shiro.ini

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
admin = password1, admin
user1 = password2, role1, role2
user2 = password3, role3
user3 = password4, role2

# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = userNameA

#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
#activeDirectoryRealm.systemPassword = passwordA
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
#activeDirectoryRealm.url = ldap://ldap.test.com:389
#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
#activeDirectoryRealm.authorizationCachingEnabled = false

### A sample for configuring LDAP Directory Realm
#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
#ldapRealm.contextFactory.authenticationMechanism = simple

### A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd

### A sample for configuring ZeppelinHub Realm
#zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
## Url of ZeppelinHub
#zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
#securityManager.realms = $zeppelinHubRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
admin = *

[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/api/interpreter/** = authc, roles[admin]
#/api/configurations/** = authc, roles[admin]
#/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc
Add the zeppelin installation and configuration (with nginx in front of it). no LDAP yet. 2018-04-12 21:22:54 +02:00			`#`
			`# Licensed to the Apache Software Foundation (ASF) under one or more`
			`# contributor license agreements. See the NOTICE file distributed with`
			`# this work for additional information regarding copyright ownership.`
			`# The ASF licenses this file to You under the Apache License, Version 2.0`
			`# (the "License"); you may not use this file except in compliance with`
			`# the License. You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`#`

			`[users]`
			`# List of users with their password allowed to access Zeppelin.`
			`# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections`
			`admin = password1, admin`
			`user1 = password2, role1, role2`
			`user2 = password3, role3`
			`user3 = password4, role2`

			`# Sample LDAP configuration, for user Authentication, currently tested for single Realm`
			`[main]`
			`### A sample for configuring Active Directory Realm`
			`#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm`
			`#activeDirectoryRealm.systemUsername = userNameA`

			`#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html`
			`#activeDirectoryRealm.systemPassword = passwordA`
			`#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks`
			`#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM`
			`#activeDirectoryRealm.url = ldap://ldap.test.com:389`
			`#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"`
			`#activeDirectoryRealm.authorizationCachingEnabled = false`

			`### A sample for configuring LDAP Directory Realm`
			`#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm`
			`## search base for ldap groups (only relevant for LdapGroupRealm):`
			`#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM`
			`#ldapRealm.contextFactory.url = ldap://ldap.test.com:389`
			`#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM`
			`#ldapRealm.contextFactory.authenticationMechanism = simple`

			`### A sample PAM configuration`
			`#pamRealm=org.apache.zeppelin.realm.PamRealm`
			`#pamRealm.service=sshd`

			`### A sample for configuring ZeppelinHub Realm`
			`#zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm`
			`## Url of ZeppelinHub`
			`#zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com`
			`#securityManager.realms = $zeppelinHubRealm`

			`sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager`

			`### If caching of user is required then uncomment below lines`
			`#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager`
			`#securityManager.cacheManager = $cacheManager`

			`securityManager.sessionManager = $sessionManager`
			`# 86,400,000 milliseconds = 24 hour`
			`securityManager.sessionManager.globalSessionTimeout = 86400000`
			`shiro.loginUrl = /api/login`

			`[roles]`
			`role1 = *`
			`role2 = *`
			`role3 = *`
			`admin = *`

			`[urls]`
			`# This section is used for url-based security.`
			`# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.`
			`# anon means the access is anonymous.`
			`# authc means Form based Auth Security`
			`# To enfore security, comment the line below and uncomment the next one`
			`/api/version = anon`
			`#/api/interpreter/** = authc, roles[admin]`
			`#/api/configurations/** = authc, roles[admin]`
			`#/api/credential/** = authc, roles[admin]`
			`#/** = anon`
			`/** = authc`