SSO Roles Mapping in Zeppelin

Describes how Zeppelin roles are derived from a JWT.

When SSO is enabled on cluster, Zeppelin supports JWT-based authentication just as most of the other components. In terms of JWT-based authorization, Zeppelin extends the Core approach of deriving user roles from a userRoles JWT claim:
"userRoles": [                                                                                   
    "default-roles-user46",                                                                        
    "offline_access",                                                                              
    "admin",                                                                                       
    "developer",                                                                                   
    "uma_authorization",                                                                           
    "cluster-admin"                                                                                
  ] 
In addition to userRoles claim, Zeppelin checks groups claim as well:
"groups": [                                                                                      
    "engineering",                                                                                 
    "design-team",                                                                                 
    "marketing",                                                                                   
    "sales"                                                                                        
  ]
IMPORTANT
If you are using Keycloak, you must create a mapper in Keycloak, to put user groups into JWT.

For details, see Keycloak Client Scopes, and Roles and Permissions When SSO Is Configured.