Apache Zeppelin Component Guide
Also available as:
PDF

Configuring Authentication for Production Using Active Directory

To enable AD authentication, complete the following steps.

Note: Zeppelin currently uses Bind requests to authenticate end users; it does not support the LDAP compare operation.

The following steps describe basic settings. For more information about these and other settings, see Shiro Settings: Reference and Shiro authentication for Apache Zeppelin.

  1. Secure the HTTP channel.

    In the [urls] section of shiro.ini contents, uncomment the line /** = authc and comment out the line /** = anon (to disable anonymous access):

    [urls]
    /api/version = anon
    #/** = anon
    /** = authc

    Note: The [urls] section is processed from top to bottom; earlier statements have precedence. If you have two conflicting lines, the first is honored.

  2. In the [main] section of shiro.ini contents, enable activeDirectoryRealm and modify the following settings for your operating environment. For clusters managed by Ambari, update shiro_ini_content; for non-Ambari clusters, update the shiro.ini file.

    Note that there are two types of directory references, those that refer to the AD database, and those that refer to user accounts and groups. Domain information can differ between the two.

    [main]
    
    # authentication settings
    activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm 
    activeDirectoryRealm.url = ldap://<ldap-domain>:389 
    activeDirectoryRealm.searchBase = DC=<user-org-level-domain>,DC=<user-second-level-domain>,DC=<user-top-level-domain> 
    
    # general settings
    sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
    cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
    securityManager.cacheManager = $cacheManager 
    securityManager.sessionManager = $sessionManager 
    securityManager.sessionManager.globalSessionTimeout = 86400000
    
    shiro.loginUrl = /api/login
  3. Optional: Zeppelin supports connections to AD over SSL. To force Zeppelin to make an SSL connection to AD, change the value of activeDirectoryRealm.url from ldap to ldaps and specify the AD SSL port; for example:

    activeDirectoryRealm.url = ldaps://hdp.example.com:636

    If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin:

    echo -n | openssl s_client –connect ldap.example.com:389 | \
        sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt
     
    keytool –import \
        -keystore $JAVA_HOME/jre/lib/security/cacerts \
        -storepass changeit \
        -noprompt \
        -alias mycert \
        -file /tmp/examplecert.crt
  4. Secure the Websocket channel.

    On an Ambari-managed cluster, navigate to the "Advanced zeppelin-config" section and set zeppelin.anonymous.allowed to false. HDP 2.6: check category

    On a cluster not managed by Ambari, edit the conf/zeppelin-site.xml file. Set zeppelin.anonymous.allowed to false. (If the file does not exist, rename conf/zeppelin-site.xml.template to conf/zeppelin-site.xml, and then edit zeppelin-site.xml.)

  5. Optional: If you want to keep clear passwords from appearing in shiro.ini, complete the following steps:

    1. At your OS command line interface, use the Hadoop credential command to create an entry for the Active Directory credential:

      > hadoop credential create activeDirectoryRealm.systemPassword -provider jceks:///etc/zeppelin/conf/credentials.jceks
      Enter password:
      Enter password again:
      
      activeDirectoryRealm.systemPassword has been successfully created.
      org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated. 
    2. Using chmod 400, make the credentials.jceks file readable and writable only by the Zeppelin system user.

    3. Add the following line to shiro.ini contents:

      activeDirectoryRealm.systemPassword -provider jceks://etc/zeppelin/conf/credentials.jceks
  6. Restart the Zeppelin server using Ambari or, for a cluster not managed by Ambari, manually restart the Zeppelin server:

    ./bin/zeppelin-daemon.sh restart

After successful configuration, Zeppelin requires credentials before allowing users to access the Web UI.

Note: Unless activeDirectoryRealm.principalSuffix is specified, users must fully qualify their account name:

ad-username@AD.DOMAIN.COM