2018-04-12 21:22:54 +02:00
|
|
|
#
|
|
|
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
|
|
|
# contributor license agreements. See the NOTICE file distributed with
|
|
|
|
# this work for additional information regarding copyright ownership.
|
|
|
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
|
|
|
# (the "License"); you may not use this file except in compliance with
|
|
|
|
# the License. You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
#
|
|
|
|
|
|
|
|
[users]
|
|
|
|
# List of users with their password allowed to access Zeppelin.
|
|
|
|
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
|
2018-04-17 19:43:33 +02:00
|
|
|
{% if not cdh_zeppelin_ldap_enabled %}
|
|
|
|
admin = {{ cdh_zeppelin_admin_password | default('admin') }}, admin
|
|
|
|
{% endif %}
|
2018-04-12 21:22:54 +02:00
|
|
|
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
|
|
|
|
[main]
|
2018-04-17 19:43:33 +02:00
|
|
|
{% if cdh_zeppelin_ldap_enabled %}
|
|
|
|
{% if cdh_zeppelin_ldap_advanced_config %}
|
|
|
|
ldapRealm = org.apache.zeppelin.realm.LdapRealm
|
|
|
|
ldapRealm.contextFactory.url = {{ cdh_zeppelin_ldap_url }}
|
|
|
|
ldapRealm.contextFactory.authenticationMechanism=simple
|
|
|
|
ldapRealm.contextFactory.systemUsername = {{ cdh_zeppelin_ldap_bind_u }}
|
|
|
|
ldapRealm.contextFactory.systemPassword = {{ cdh_zeppelin_ldap_bind_pwd }}
|
|
|
|
ldapRealm.authorizationEnabled = true
|
|
|
|
#ldapRealm.userDnTemplate = {{ cdh_zeppelin_username_pattern }}
|
|
|
|
# Ability to set ldap paging Size if needed default is 100
|
|
|
|
#ldapRealm.pagingSize = 200
|
|
|
|
#ldapRealm.searchBase = {{ cdh_zeppelin_ldap_search_base }}
|
|
|
|
ldapRealm.userSearchBase = {{ cdh_zeppelin_ldap_users_base }}
|
|
|
|
ldapRealm.userObjectClass = {{ cdh_zeppelin_user_objectclass }}
|
|
|
|
ldapRealm.groupSearchBase = {{ cdh_zeppelin_ldap_group_base }}
|
|
|
|
ldapRealm.groupObjectClass = {{ cdh_zeppelin_ldap_group_obj_class }}
|
|
|
|
ldapRealm.groupSearchFilter = '{{ cdh_zeppelin_group_search_filter }}'
|
|
|
|
# Allow userSearchAttribute to be customized
|
|
|
|
ldapRealm.userSearchAttributeName = {{ cdh_zeppelin_ldap_user_attr }}
|
|
|
|
ldapRealm.memberAttribute = {{ cdh_zeppelin_ldap_member_attr }}
|
|
|
|
# force usernames returned from ldap to lowercase useful for AD
|
|
|
|
#ldapRealm.userLowerCase = true
|
|
|
|
#ldapRealm.memberAttributeValueTemplate = {{cdh_zeppelin_group_template}}
|
|
|
|
# enable support for nested groups using the LDAPMATCHINGRULEINCHAIN operator
|
|
|
|
#ldapRealm.groupSearchEnableMatchingRuleInChain = {{ cdh_zeppelin_ldap_nested_groups }}
|
|
|
|
# optional mapping from physical groups to logical application roles
|
|
|
|
ldapRealm.rolesByGroup = {{ cdh_zeppelin_ldap_roles_by_group }}
|
|
|
|
# optional list of roles that are allowed to authenticate. In case not present all groups are allowed to authenticate (login).
|
|
|
|
# This changes nothing for url specific permissions that will continue to work as specified in [urls].
|
|
|
|
#ldapRealm.allowedRolesForAuthentication = adminrole,userrole
|
|
|
|
#ldapRealm.permissionsByRole = userrole = *:ToDoItem::*, adminrole = *
|
|
|
|
{% else %}
|
2018-04-12 21:22:54 +02:00
|
|
|
### A sample for configuring LDAP Directory Realm
|
2018-04-17 19:43:33 +02:00
|
|
|
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
|
2018-04-12 21:22:54 +02:00
|
|
|
## search base for ldap groups (only relevant for LdapGroupRealm):
|
2018-04-17 19:43:33 +02:00
|
|
|
ldapRealm.contextFactory.environment[ldap.searchBase] = {{ cdh_zeppelin_ldap_search_base }}
|
|
|
|
ldapRealm.contextFactory.url = {{ cdh_zeppelin_ldap_url }}
|
|
|
|
ldapRealm.userDnTemplate = {{ cdh_zeppelin_username_pattern }}
|
|
|
|
ldapRealm.contextFactory.authenticationMechanism = simple
|
|
|
|
{% endif %}
|
|
|
|
securityManager.realms = $ldapRealm
|
|
|
|
{% endif %}
|
2018-04-12 21:22:54 +02:00
|
|
|
|
|
|
|
### A sample PAM configuration
|
|
|
|
#pamRealm=org.apache.zeppelin.realm.PamRealm
|
|
|
|
#pamRealm.service=sshd
|
|
|
|
|
|
|
|
### A sample for configuring ZeppelinHub Realm
|
|
|
|
#zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
|
|
|
|
## Url of ZeppelinHub
|
|
|
|
#zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
|
|
|
|
#securityManager.realms = $zeppelinHubRealm
|
|
|
|
|
|
|
|
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
|
|
|
|
|
|
|
|
### If caching of user is required then uncomment below lines
|
|
|
|
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
|
|
|
|
#securityManager.cacheManager = $cacheManager
|
|
|
|
|
2018-04-17 19:43:33 +02:00
|
|
|
### Enables 'HttpOnly' flag in Zeppelin cookies
|
|
|
|
cookie = org.apache.shiro.web.servlet.SimpleCookie
|
|
|
|
cookie.name = JSESSIONID
|
|
|
|
cookie.httpOnly = true
|
|
|
|
### Uncomment the below line only when Zeppelin is running over HTTPS
|
|
|
|
cookie.secure = true
|
|
|
|
sessionManager.sessionIdCookie = $cookie
|
|
|
|
|
2018-04-12 21:22:54 +02:00
|
|
|
securityManager.sessionManager = $sessionManager
|
|
|
|
# 86,400,000 milliseconds = 24 hour
|
|
|
|
securityManager.sessionManager.globalSessionTimeout = 86400000
|
|
|
|
shiro.loginUrl = /api/login
|
|
|
|
|
|
|
|
[roles]
|
|
|
|
admin = *
|
2018-04-17 19:43:33 +02:00
|
|
|
user = *
|
2018-04-12 21:22:54 +02:00
|
|
|
|
|
|
|
[urls]
|
|
|
|
# This section is used for url-based security.
|
|
|
|
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
|
|
|
|
# anon means the access is anonymous.
|
|
|
|
# authc means Form based Auth Security
|
|
|
|
# To enfore security, comment the line below and uncomment the next one
|
|
|
|
/api/version = anon
|
2018-04-17 19:43:33 +02:00
|
|
|
{% if not cdh_zeppelin_secure_urls %}
|
|
|
|
/** = anon
|
|
|
|
{% else %}
|
|
|
|
{% if cdh_zeppelin_ldap_advanced_config %}
|
|
|
|
/api/interpreter/setting/restart/** = authc
|
|
|
|
/api/interpreter/** = {{ cdh_zeppelin_secure_roles }}
|
|
|
|
/api/configurations/** = {{ cdh_zeppelin_secure_roles }}
|
|
|
|
/api/credential/** = {{ cdh_zeppelin_secure_roles }}
|
|
|
|
/** = authc
|
|
|
|
{% else %}
|
2018-04-12 21:22:54 +02:00
|
|
|
/** = authc
|
2018-04-17 19:43:33 +02:00
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
|