| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| |
| [users] |
| # List of users with their password allowed to access Zeppelin. |
| # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections |
| # To enable admin user, uncomment the following line and set an appropriate password. |
| #admin = password1, admin |
| user1 = password2, role1, role2 |
| user2 = password3, role3 |
| user3 = password4, role2 |
| |
| # Sample LDAP configuration, for user Authentication, currently tested for single Realm |
| [main] |
| ### A sample for configuring Active Directory Realm |
| #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm |
| #activeDirectoryRealm.systemUsername = userNameA |
| |
| #use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html |
| #activeDirectoryRealm.systemPassword = passwordA |
| #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks |
| #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM |
| #activeDirectoryRealm.url = ldap://ldap.test.com:389 |
| #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" |
| #activeDirectoryRealm.authorizationCachingEnabled = false |
| |
| ### A sample for configuring LDAP Directory Realm |
| #ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm |
| ## search base for ldap groups (only relevant for LdapGroupRealm): |
| #ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM |
| #ldapRealm.contextFactory.url = ldap://ldap.test.com:389 |
| #ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM |
| #ldapRealm.contextFactory.authenticationMechanism = simple |
| |
| ### A sample PAM configuration |
| #pamRealm=org.apache.zeppelin.realm.PamRealm |
| #pamRealm.service=sshd |
| |
| ## A same for configuring Knox SSO Realm |
| #knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm |
| #knoxJwtRealm.providerUrl = https://domain.example.com/ |
| #knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html |
| #knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout |
| #knoxJwtRealm.logoutAPI = true |
| #knoxJwtRealm.redirectParam = originalUrl |
| #knoxJwtRealm.cookieName = hadoop-jwt |
| #knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem |
| # |
| #authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter |
| |
| ### A sample for configuring Kerberos Realm |
| # krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm |
| # krbRealm.principal = HTTP/zeppelin.fqdn.domain.com@EXAMPLE.COM |
| # krbRealm.keytab = /etc/security/keytabs/spnego.service.keytab |
| # krbRealm.nameRules = DEFAULT |
| # krbRealm.signatureSecretFile = /etc/security/http_secret |
| # krbRealm.tokenValidity = 36000 |
| # krbRealm.cookieDomain = domain.com |
| # krbRealm.cookiePath = / |
| # krbRealm.logout = /logout |
| # krbRealm.logoutAPI = true |
| # krbRealm.providerUrl = https://domain.example.com/ |
| # krbRealm.redirectParam = originalUrl |
| # authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilter |
| |
| sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager |
| |
| ### If caching of user is required then uncomment below lines |
| #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager |
| #securityManager.cacheManager = $cacheManager |
| |
| ### Enables 'HttpOnly' flag in Zeppelin cookies |
| cookie = org.apache.shiro.web.servlet.SimpleCookie |
| cookie.name = JSESSIONID |
| cookie.httpOnly = true |
| ### Uncomment the below line only when Zeppelin is running over HTTPS |
| #cookie.secure = true |
| sessionManager.sessionIdCookie = $cookie |
| |
| securityManager.sessionManager = $sessionManager |
| # 86,400,000 milliseconds = 24 hour |
| securityManager.sessionManager.globalSessionTimeout = 86400000 |
| shiro.loginUrl = /api/login |
| |
| [roles] |
| role1 = * |
| role2 = * |
| role3 = * |
| admin = * |
| |
| [urls] |
| # This section is used for url-based security. For details see the shiro.ini documentation. |
| # |
| # You can secure interpreter, configuration and credential information by urls. |
| # Comment or uncomment the below urls that you want to hide: |
| # anon means the access is anonymous. |
| # authc means form based auth Security. |
| # |
| # IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request |
| # in the order they are defined and the FIRST MATCH WINS. |
| # |
| # To allow anonymous access to all but the stated urls, |
| # uncomment the line second last line (/** = anon) and comment the last line (/** = authc) |
| # |
| /api/version = anon |
| /api/cluster/address = anon |
| # Allow all authenticated users to restart interpreters on a notebook page. |
| # Comment out the following line if you would like to authorize only admin users to restart interpreters. |
| /api/interpreter/setting/restart/** = authc |
| /api/interpreter/** = authc, roles[admin] |
| /api/notebook-repositories/** = authc, roles[admin] |
| /api/configurations/** = authc, roles[admin] |
| /api/credential/** = authc, roles[admin] |
| /api/admin/** = authc, roles[admin] |
| #/** = anon |
| /** = authc |