SSO Roles Mapping in Zeppelin
Describes how Zeppelin roles are derived from a JWT.
When SSO is enabled on cluster, Zeppelin supports JWT-based authentication just as most of
the other components. In terms of JWT-based authorization, Zeppelin extends the Core approach
of deriving user roles from a
userRoles
JWT
claim:"userRoles": [
"default-roles-user46",
"offline_access",
"admin",
"developer",
"uma_authorization",
"cluster-admin"
]
In addition to
userRoles
claim, Zeppelin checks groups
claim as
well:"groups": [
"engineering",
"design-team",
"marketing",
"sales"
]
IMPORTANT
If you are using Keycloak, you must create a mapper in
Keycloak, to put user groups into JWT. For details, see Keycloak Client Scopes, and Roles and Permissions When SSO Is Configured.