conf/shiro.ini.template - zeppelin - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 [users]
 # List of users with their password allowed to access Zeppelin.
 # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
 # To enable admin user, uncomment the following line and set an appropriate password.
 #admin = password1, admin
 user1 = password2, role1, role2
 user2 = password3, role3
 user3 = password4, role2

 # Sample LDAP configuration, for user Authentication, currently tested for single Realm
 [main]
 ### A sample for configuring Active Directory Realm
 #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
 #activeDirectoryRealm.systemUsername = userNameA

 #use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
 #activeDirectoryRealm.systemPassword = passwordA
 #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
 #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
 #activeDirectoryRealm.url = ldap://ldap.test.com:389
 #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
 #activeDirectoryRealm.authorizationCachingEnabled = false

 ### A sample for configuring LDAP Directory Realm
 #ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
 ## search base for ldap groups (only relevant for LdapGroupRealm):
 #ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
 #ldapRealm.contextFactory.url = ldap://ldap.test.com:389
 #ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
 #ldapRealm.contextFactory.authenticationMechanism = simple

 ### A sample PAM configuration
 #pamRealm=org.apache.zeppelin.realm.PamRealm
 #pamRealm.service=sshd

 ### A sample for configuring ZeppelinHub Realm
 #zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
 ## Url of ZeppelinHub
 #zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
 #securityManager.realms = $zeppelinHubRealm

 ## A same for configuring Knox SSO Realm
 #knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
 #knoxJwtRealm.providerUrl = https://domain.example.com/
 #knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
 #knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
 #knoxJwtRealm.logoutAPI = true
 #knoxJwtRealm.redirectParam = originalUrl
 #knoxJwtRealm.cookieName = hadoop-jwt
 #knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem
 #
 #authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter

 ### A sample for configuring Kerberos Realm
 # krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm
 # krbRealm.principal = HTTP/zeppelin.fqdn.domain.com@EXAMPLE.COM
 # krbRealm.keytab = /etc/security/keytabs/spnego.service.keytab
 # krbRealm.nameRules = DEFAULT
 # krbRealm.signatureSecretFile = /etc/security/http_secret
 # krbRealm.tokenValidity = 36000
 # krbRealm.cookieDomain = domain.com
 # krbRealm.cookiePath = /
 # krbRealm.logout = /logout
 # krbRealm.logoutAPI = true
 # krbRealm.providerUrl = https://domain.example.com/
 # krbRealm.redirectParam = originalUrl
 # authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilter

 sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

 ### If caching of user is required then uncomment below lines
 #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
 #securityManager.cacheManager = $cacheManager

 ### Enables 'HttpOnly' flag in Zeppelin cookies
 cookie = org.apache.shiro.web.servlet.SimpleCookie
 cookie.name = JSESSIONID
 cookie.httpOnly = true
 ### Uncomment the below line only when Zeppelin is running over HTTPS
 #cookie.secure = true
 sessionManager.sessionIdCookie = $cookie

 securityManager.sessionManager = $sessionManager
 # 86,400,000 milliseconds = 24 hour
 securityManager.sessionManager.globalSessionTimeout = 86400000
 shiro.loginUrl = /api/login

 [roles]
 role1 = *
 role2 = *
 role3 = *
 admin = *

 [urls]
 # This section is used for url-based security. For details see the shiro.ini documentation.
 #
 # You can secure interpreter, configuration and credential information by urls.
 # Comment or uncomment the below urls that you want to hide:
 # anon means the access is anonymous.
 # authc means form based auth Security.
 #
 # IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
 # in the order they are defined and the FIRST MATCH WINS.
 #
 # To allow anonymous access to all but the stated urls,
 # uncomment the line second last line (/** = anon) and comment the last line (/** = authc)
 #
 /api/version = anon
 /api/cluster/address = anon
 # Allow all authenticated users to restart interpreters on a notebook page.
 # Comment out the following line if you would like to authorize only admin users to restart interpreters.
 /api/interpreter/setting/restart/** = authc
 /api/interpreter/** = authc, roles[admin]
 /api/notebook-repositories/** = authc, roles[admin]
 /api/configurations/** = authc, roles[admin]
 /api/credential/** = authc, roles[admin]
 /api/admin/** = authc, roles[admin]
 #/** = anon
 /** = authc
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	[users]
	# List of users with their password allowed to access Zeppelin.
	# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
	# To enable admin user, uncomment the following line and set an appropriate password.
	#admin = password1, admin
	user1 = password2, role1, role2
	user2 = password3, role3
	user3 = password4, role2

	# Sample LDAP configuration, for user Authentication, currently tested for single Realm
	[main]
	### A sample for configuring Active Directory Realm
	#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
	#activeDirectoryRealm.systemUsername = userNameA

	#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
	#activeDirectoryRealm.systemPassword = passwordA
	#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
	#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
	#activeDirectoryRealm.url = ldap://ldap.test.com:389
	#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
	#activeDirectoryRealm.authorizationCachingEnabled = false

	### A sample for configuring LDAP Directory Realm
	#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
	## search base for ldap groups (only relevant for LdapGroupRealm):
	#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
	#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
	#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
	#ldapRealm.contextFactory.authenticationMechanism = simple

	### A sample PAM configuration
	#pamRealm=org.apache.zeppelin.realm.PamRealm
	#pamRealm.service=sshd

	### A sample for configuring ZeppelinHub Realm
	#zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
	## Url of ZeppelinHub
	#zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
	#securityManager.realms = $zeppelinHubRealm

	## A same for configuring Knox SSO Realm
	#knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
	#knoxJwtRealm.providerUrl = https://domain.example.com/
	#knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
	#knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
	#knoxJwtRealm.logoutAPI = true
	#knoxJwtRealm.redirectParam = originalUrl
	#knoxJwtRealm.cookieName = hadoop-jwt
	#knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem
	#
	#authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter

	### A sample for configuring Kerberos Realm
	# krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm
	# krbRealm.principal = HTTP/zeppelin.fqdn.domain.com@EXAMPLE.COM
	# krbRealm.keytab = /etc/security/keytabs/spnego.service.keytab
	# krbRealm.nameRules = DEFAULT
	# krbRealm.signatureSecretFile = /etc/security/http_secret
	# krbRealm.tokenValidity = 36000
	# krbRealm.cookieDomain = domain.com
	# krbRealm.cookiePath = /
	# krbRealm.logout = /logout
	# krbRealm.logoutAPI = true
	# krbRealm.providerUrl = https://domain.example.com/
	# krbRealm.redirectParam = originalUrl
	# authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilter

	sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

	### If caching of user is required then uncomment below lines
	#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
	#securityManager.cacheManager = $cacheManager

	### Enables 'HttpOnly' flag in Zeppelin cookies
	cookie = org.apache.shiro.web.servlet.SimpleCookie
	cookie.name = JSESSIONID
	cookie.httpOnly = true
	### Uncomment the below line only when Zeppelin is running over HTTPS
	#cookie.secure = true
	sessionManager.sessionIdCookie = $cookie

	securityManager.sessionManager = $sessionManager
	# 86,400,000 milliseconds = 24 hour
	securityManager.sessionManager.globalSessionTimeout = 86400000
	shiro.loginUrl = /api/login

	[roles]
	role1 = *
	role2 = *
	role3 = *
	admin = *

	[urls]
	# This section is used for url-based security. For details see the shiro.ini documentation.
	#
	# You can secure interpreter, configuration and credential information by urls.
	# Comment or uncomment the below urls that you want to hide:
	# anon means the access is anonymous.
	# authc means form based auth Security.
	#
	# IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
	# in the order they are defined and the FIRST MATCH WINS.
	#
	# To allow anonymous access to all but the stated urls,
	# uncomment the line second last line (/ = anon) and comment the last line (/ = authc)
	#
	/api/version = anon
	/api/cluster/address = anon
	# Allow all authenticated users to restart interpreters on a notebook page.
	# Comment out the following line if you would like to authorize only admin users to restart interpreters.
	/api/interpreter/setting/restart/** = authc
	/api/interpreter/** = authc, roles[admin]
	/api/notebook-repositories/** = authc, roles[admin]
	/api/configurations/** = authc, roles[admin]
	/api/credential/** = authc, roles[admin]
	/api/admin/** = authc, roles[admin]
	#/** = anon
	/** = authc