Configuring Apache Zeppelin Security
Also available as:
PDF

Enable Access Control for Interpreter, Configuration, and Credential Settings

This section describes how to restrict access to Apache Zeppelin interpreter, credential, and configuration settings.

By default, any authenticated account can access Zeppelin interpreter, credential, and configuration settings. When access control is enabled, unauthorized users can see the page heading, but no settings. There are two steps: defining roles, and specifying which roles have access to which settings.
Users and groups must be defined on all Zeppelin nodes and in the associated identity store.
  1. Define a [roles] section in shiro.ini contents, and specify permissions for defined groups. The following example grants all permissions ("*") to users in group admin:
    [roles]
    admin = *
  2. In the [urls] section of the shiro.ini contents, uncomment the interpreter, configurations, or credential line(s) to enable access to the interpreter, configuration, or credential page(s), respectively. (If the [urls] section is not defined, add the section. Include the three /api lines listed in the following example.)
    The following example specifies access to interpreter, configurations, and credential settings for role "admin":
    [urls]
    /api/version = anon
    /api/interpreter/** = authc, roles[admin]
    /api/configurations/** = authc, roles[admin]
    /api/credential/** = authc, roles[admin]
    #/** = anon
    /** = authc

    To add more roles, separate role identifiers with commas inside the square brackets.

    Note: The sequence of lines in the [urls] section is important. The /api/version line must be the first line in the [urls] section:

    /api/version = anon 

    Next, specify the three /api lines in any order:

    /api/interpreter/** = authc, roles[admin]
    /api/configurations/** = authc, roles[admin]
    /api/credential/** = authc, roles[admin]

    The authc line must be last in the [urls] section:

    /** = authc
  3. When unauthorized users attempt to access the interpreter, configurations, or credential page, they see the page heading but not settings.