Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-946

Notebook specific permissions not honoring group / role memberships

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.6.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Error:
      Insufficient privileges to write notebook.
      Allowed users or roles: [admin, zeppelinWrite]
      But the user randerson belongs to: [randerson]

      It's seems clear that user randerson isn't mapped to any roles, or groups (even though he of course is a member of the zeppelinWrite group in AD and as a result also part of the local admin Role). A TCPDUMP reveals that during login, all of my group memberships are in fact returned during the ldap bind operation. However, when I attempt to modify a notebook, a call is never made to AD, to pull back my group memberships. It doesn't seem to look at my local group memberships (/etc/group) either.

      shiro.ini

      [users]

      [main]
      adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
      adRealm.url = ldap://<server>:389
      adRealm.groupRolesMap = "cn=zeppelinWrite,ou=unix groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
      adRealm.searchBase = DC=company,DC=com
      adRealm.systemUsername= <username>
      adRealm.systemPassword= <password>
      adRealm.principalSuffix=<@company>

      sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
      securityManager.sessionManager = $sessionManager
      securityManager.sessionManager.globalSessionTimeout = 86400000
      shiro.loginUrl = /api/login
      securityManager.realms = $adRealm
      [roles]
      admin = *
      [urls]
      /api/version = anon
      /** = authcBasic

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                prabhjyotsingh Prabhjyot Singh
                Reporter:
                randerson Rob Anderson
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: