Enable PAM auth by default and allow authenticated users to configure interpreters

idzikovskyi · idzikovskyi · commit e2cab2087304 · 2019-03-22T21:34:00.000+02:00
diff --git a/conf/shiro.ini.template b/conf/shiro.ini.template
@@ -20,9 +20,9 @@
 # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
 # To enable admin user, uncomment the following line and set an appropriate password.
 #admin = password1, admin
-user1 = password2, role1, role2
-user2 = password3, role3
-user3 = password4, role2
+#user1 = password2, role1, role2
+#user2 = password3, role3
+#user3 = password4, role2
 
 # Sample LDAP configuration, for user Authentication, currently tested for single Realm
 [main]
@@ -47,8 +47,10 @@ user3 = password4, role2
 #ldapRealm.contextFactory.authenticationMechanism = simple
 
 ### A sample PAM configuration
-#pamRealm=org.apache.zeppelin.realm.PamRealm
-#pamRealm.service=sshd
+pamRealm=org.apache.zeppelin.realm.PamRealm
+pamRealm.service=login
+
+securityManager.realms = $pamRealm
 
 ### A sample for configuring ZeppelinHub Realm
 #zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
@@ -112,9 +114,9 @@ admin = *
 /api/version = anon
 # Allow all authenticated users to restart interpreters on a notebook page.
 # Comment out the following line if you would like to authorize only admin users to restart interpreters.
-/api/interpreter/setting/restart/** = authc
-/api/interpreter/** = authc, roles[admin]
-/api/configurations/** = authc, roles[admin]
-/api/credential/** = authc, roles[admin]
+#/api/interpreter/setting/restart/** = authc
+#/api/interpreter/** = authc, roles[admin]
+#/api/configurations/** = authc, roles[admin]
+#/api/credential/** = authc, roles[admin]
 #/** = anon
 /** = authc
diff --git a/conf/zeppelin-env.sh.template b/conf/zeppelin-env.sh.template
@@ -107,6 +107,7 @@
 
 #### Zeppelin impersonation configuration
 # export ZEPPELIN_IMPERSONATE_CMD       # Optional, when user want to run interpreter as end web user. eg) 'sudo -H -u ${ZEPPELIN_IMPERSONATE_USER} bash -c '
+export ZEPPELIN_IMPERSONATE_CMD='sudo -H -u ${ZEPPELIN_IMPERSONATE_USER} bash -c '
 # export ZEPPELIN_IMPERSONATE_SPARK_PROXY_USER  #Optional, by default is true; can be set to false if you don't want to use --proxy-user option with Spark interpreter when impersonation enabled
 
 
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
@@ -406,7 +406,7 @@
 
 <property>
   <name>zeppelin.anonymous.allowed</name>
-  <value>true</value>
+  <value>false</value>
   <description>Anonymous user allowed by default</description>
 </property>
 
