Cloudera Docs » 2.5.6 » Apache Zeppelin Component Guide
Apache Zeppelin Component Guide
Also available as:
PDF

Configuring Authentication for Production Using Active Directory

To enable AD authentication, complete the following steps.

Note: Zeppelin currently uses Bind requests to authenticate end users; it does not support the LDAP compare operation.

The following steps describe basic settings. For more information about these and other settings, see Shiro Settings: Reference and Shiro authentication for Apache Zeppelin.

  1. Secure the HTTP channel.

    In the [urls] section of shiro.ini contents, uncomment the line /** = authc and comment out the line /** = anon (to disable anonymous access):

    [urls]
/api/version = anon
#/** = anon
/** = authc

    Note: The [urls] section is processed from top to bottom; earlier statements have precedence. If you have two conflicting lines, the first is honored.

  2. In the [main] section of shiro.ini contents, enable activeDirectoryRealm and modify the following settings for your operating environment. For clusters managed by Ambari, update shiro_ini_content; for non-Ambari clusters, update the shiro.ini file.

    Note that there are two types of directory references, those that refer to the AD database, and those that refer to user accounts and groups. Domain information can differ between the two.

    [main]

# authentication settings
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm 
activeDirectoryRealm.url = ldap://<ldap-domain>:389 
activeDirectoryRealm.searchBase = DC=<user-org-level-domain>,DC=<user-second-level-domain>,DC=<user-top-level-domain> 

# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

  3. Optional: Zeppelin supports connections to AD over SSL. To force Zeppelin to make an SSL connection to AD, change the value of activeDirectoryRealm.url from ldap to ldaps and specify the AD SSL port; for example:

    activeDirectoryRealm.url = ldaps://hdp.example.com:636

    If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin:

    echo -n | openssl s_client –connect ldap.example.com:389 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt  
keytool –import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt

  4. Secure the Websocket channel.

    On an Ambari-managed cluster, navigate to the "Advanced zeppelin-config" section and set zeppelin.anonymous.allowed to false. HDP 2.6: check category

    On a cluster not managed by Ambari, edit the conf/zeppelin-site.xml file. Set zeppelin.anonymous.allowed to false. (If the file does not exist, rename conf/zeppelin-site.xml.template to conf/zeppelin-site.xml, and then edit zeppelin-site.xml.)

  5. Optional: If you want to keep clear passwords from appearing in shiro.ini, complete the following steps:

    1. At your OS command line interface, use the Hadoop credential command to create an entry for the Active Directory credential:

      > hadoop credential create activeDirectoryRealm.systemPassword -provider jceks:///etc/zeppelin/conf/credentials.jceks
Enter password:
Enter password again:

activeDirectoryRealm.systemPassword has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.

    2. Using chmod 400, make the credentials.jceks file readable and writable only by the Zeppelin system user.

    3. Add the following line to shiro.ini contents:

      activeDirectoryRealm.systemPassword -provider jceks://etc/zeppelin/conf/credentials.jceks

  6. Restart the Zeppelin server using Ambari or, for a cluster not managed by Ambari, manually restart the Zeppelin server:

    ./bin/zeppelin-daemon.sh restart

To use Zeppelin after configuring AD authentication:

  1. Open the Zeppelin UI in a new browser tab:

    http://<zeppelin-hostname>:9995

  2. Click the Login button at the top right corner of the page.

  3. In the login dialog box, specify a valid Active Directory username and password.

    Unless the activeDirectoryRealm.principalSuffix property was set during AD configuration, users must fully qualify their account name; for example:

    ad-username@AD.DOMAIN.COM

  4. If Zeppelin access to Active Directory is configured accurately, Zeppelin presents its home page.

© 2012–2021 by Cloudera, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Cloudera.com | Documentation | Support | Community