Shiro Settings: Reference
This section lists more information about Shiro settings described in the authentication and authorization configuration subsections, plus a few more settings that might be useful.
Active Directory Settings
Active Directory (AD) stores users and groups in a hierarchical tree structure, built from containers including the organizational unit (ou), organization (o), and domain controller (dc). The path to each entry is a Distinguished Name (DN) that uniquely identifies a user or group.
User and group names typically have attributes such as a common name (cn) or unique ID (uid).
Specify the DN as a string, for example cn=admin,dc=example,dc=com. White
space is ignored.
![[Important]](../common/images/admon/important.png) | Important |
|---|---|
If you upgrade from HDP 2.5 (Zeppelin 0.6) to HDP 2.6 (Zeppelin 0.7), note that the Active
Directory group realm class name changed from
|
activeDirectoryRealmspecifies the class name to use for AD authentication. You should set this to
org.apache.zeppelin.realm.ActiveDirectoryGroupRealm. For more information, see Apache Shiro Realms.activeDirectoryRealm.urlspecifies the host and port where Active Directory is set up. For more information, see Apache Shiro Realms.
If the protocol element is specified as
ldap, SSL is not used. If the protocol is specified asldaps, access is over SSL.Note: If Active Directory uses a self-signed certificate, import the certificate into the truststore of the JVM running Zeppelin; for example:
echo -n | openssl s_client –connect ldap.example.com:389 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt keytool –import \ -keystore $JAVA_HOME/jre/lib/security/cacerts \ -storepass changeit \ -noprompt \ -alias mycert \ -file /tmp/examplecert.crtactiveDirectoryRealm.principalSuffixsimplifies the logon information that users must use to log in. Otherwise, AD requires a username fully qualified with domain information. For example, if a fully-qualified user account is
user@hdpqa.example.com, you can specify a shorter suffix such asuser@hdpqa.activeDirectoryRealm.principalSuffix = @<user-org-level-domain>
activeDirectoryRealm.searchBasedefines the base distinguished name from which the directory search starts. A distinguished name defines each entry; "dc" entries define a hierarchical directory tree.
activeDirectoryRealm.systemUsername,activeDirectoryRealm.systemPassworddefines the username and password that Zeppelin uses to connect to Active Directory when it searches for users and groups. These two settings are used for controlling access to UI features, not for authentication. The Bind method does not require a valid user password.
Example:
activeDirectoryRealm.systemPassword = passwordAactiveDirectoryRealm.groupRolesMapa comma-separated list that maps groups to roles. These settings are used by Zeppelin to restrict UI features to specific AD groups. The following example maps group
hdpdv_adminathdp3.example.comto the "admin" role:CN=hdpdv_admin,DC=hdp3,DC=example,DC=com:admin
activeDirectoryRealm.authorizationCachingEnabledspecifies whether to use caching to improve performance. To enable caching, set this property to
true.
LDAP Settings
LDAP stores users and groups in a hierarchical tree structure, built from containers including the organizational unit (ou), organization (o), and domain controller (dc). The path to each entry is a Distinguished Name (DN) that uniquely identifies a user or group.
User and group names typically have attributes such as a common name (cn) or unique ID (uid).
Specify the DN as a string, for example cn=admin,dc=example,dc=com. White
space is ignored.
Zeppelin LDAP authentication uses templates for user DNs. SeeLDAP Realm Settings for options you can set for an LDAP realm.
ldapRealmspecifies the class name to use for LDAP authentication. You should set this to
org.apache.zeppelin.realm.LdapRealmunless you are familiar with LDAP and prefer to useorg.apache.shiro.realm.ldap.JndiLdapRealm. For more information, see Apache Shiro Realms.ldapRealm.contextFactory.environment[ldap.searchBase]defines the base distinguished name from which the LDAP search starts. Shiro searches for
userDnTemplateat this address.If the protocol is specified as
ldap, SSL is not used. If the protocol is specified asldaps, access is over SSL.ldapRealm.userDnTemplatespecifies the search location where the user is to be found. Shiro replaces
{0}with the username acquired from the Zeppelin UI. Zeppelin uses User DN templates to configure associated realms.ldapRealm.contextFactory.urlspecifies the host and port on which LDAP is running.
If the protocol element is specified as
ldap, SSL will not be used. If the protocol is specified asldaps, access will be over SSL.Note: If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin; for example:
echo -n | openssl s_client –connect ldap.example.com:389 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt keytool –import \ -keystore $JAVA_HOME/jre/lib/security/cacerts \ -storepass changeit \ -noprompt \ -alias mycert \ -file /tmp/examplecert.crtldapRealm.contextFactory.systemUsername,ldapRealm.contextFactory.systemPassworddefine the username and password that Zeppelin uses to connect to LDAP, to search for users and groups. These two settings are used for controlling access to UI features, not for authentication. The Bind method does not require a valid user password.
Examples:
ldapRealm.contextFactory.systemUsername=uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.systemPassword=somePassword
ldapRealm.authorizationCachingEnabledspecifies whether to use caching to improve performance. To enable caching, set this property to
true.
General Settings
securityManager.sessionManager.globalSessionTimeoutspecifies how long to wait (in milliseconds) before logging out a user, if they are logged in and are not moving the cursor.
The default is 86,400,000 milliseconds, which equals 24 hours.