Apache Zeppelin Component Guide
Also available as:
PDF

Shiro Settings: Reference

This section lists more information about Shiro settings described in the authentication and authorization configuration subsections, plus a few more settings that might be useful.

Active Directory Settings

Active Directory (AD) stores users and groups in a hierarchical tree structure, built from containers including the organizational unit (ou), organization (o), and domain controller (dc). The path to each entry is a Distinguished Name (DN) that uniquely identifies a user or group.

User and group names typically have attributes such as a common name (cn) or unique ID (uid).

Specify the DN as a string, for example cn=admin,dc=example,dc=com. White space is ignored.

activeDirectoryRealm.url

specifies the host and port where Active Directory is set up. For more information, see Apache Shiro Realms.

If the protocol element is specified as ldap, SSL is not used. If the protocol is specified as ldaps, access is over SSL.

Note: If Active Directory uses a self-signed certificate, import the certificate into the truststore of the JVM running Zeppelin; for example:

echo -n | openssl s_client –connect ldap.example.com:389 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt

keytool –import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
activeDirectoryRealm.principalSuffix

simplifies the logon information that users must use to log in. Otherwise, AD requires a username fully qualified with domain information. For example, if a fully-qualified user account is user@hdpqa.example.com, you can specify a shorter suffix such as user@hdpqa.

activeDirectoryRealm.principalSuffix = @<user-org-level-domain>
activeDirectoryRealm.searchBase

defines the base distinguished name from which the directory search starts. A distinguished name defines each entry; "dc" entries define a hierarchical directory tree.

activeDirectoryRealm.systemUsername, activeDirectoryRealm.systemPassword

defines the username and password that Zeppelin uses to connect to Active Directory when it searches for users and groups. These two settings are used for controlling access to UI features, not for authentication. The Bind method does not require a valid user password.

activeDirectoryRealm.groupRolesMap

a comma-separated list that maps groups to roles. These settings are used by Zeppelin to restrict UI features to specific AD groups. The following example maps group hdpdv_admin at hdp3.example.com to the "admin" role:

CN=hdpdv_admin,DC=hdp3,DC=example,DC=com:admin
activeDirectoryRealm.authorizationCachingEnabled

specifies whether to use caching to improve performance. To enable caching, set this property to true.

LDAP Settings

LDAP stores users and groups in a hierarchical tree structure, built from containers including the organizational unit (ou), organization (o), and domain controller (dc). The path to each entry is a Distinguished Name (DN) that uniquely identifies a user or group.

User and group names typically have attributes such as a common name (cn) or unique ID (uid).

Specify the DN as a string, for example cn=admin,dc=example,dc=com. White space is ignored.

Zeppelin LDAP authentication uses templates for user DNs. SeeLDAP Realm Settings for options you can set for an LDAP realm.

ldapRealm

specifies the class name to use for LDAP authentication. You should set this to org.apache.zeppelin.server.LdapGroupRealm unless you are familiar with LDAP and prefer to use org.apache.shiro.realm.ldap.JndiLdapRealm. For more information, see Apache Shiro Realms.

ldapRealm.contextFactory.environment[ldap.searchBase]

defines the base distinguished name from which the LDAP search starts. Shiro searches for userDnTemplate at this address.

If the protocol is specified as ldap, SSL is not used. If the protocol is specified as ldaps, access is over SSL.

ldapRealm.userDnTemplate

specifies the search location where the user is to be found. Shiro replaces {0} with the username acquired from the Zeppelin UI. Zeppelin uses User DN templates to configure associated realms.

ldapRealm.contextFactory.url

specifies the host and port on which LDAP is running.

If the protocol element is specified as ldap, SSL will not be used. If the protocol is specified as ldaps, access will be over SSL.

Note: If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin; for example:

echo -n | openssl s_client –connect ldap.example.com:389 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt
keytool –import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
ldapRealm.contextFactory.systemUsername, ldapRealm.contextFactory.systemPassword

define the username and password that Zeppelin uses to connect to LDAP, to search for users and groups. These two settings are used for controlling access to UI features, not for authentication. The Bind method does not require a valid user password.

ldapRealm.authorizationCachingEnabled

specifies whether to use caching to improve performance. To enable caching, set this property to true.

General Settings

securityManager.sessionManager.globalSessionTimeout

specifies how long to wait (in milliseconds) before logging out a user, if they are logged in and are not moving the cursor.

The default is 86,400,000 milliseconds, which equals 24 hours.

Example

The following example shows a minimum set of shiro.ini settings for authentication and access control, assuming that the corresponding account information is configured in Active Directory (at adhost.field.hortonworks.com) and on Zeppelin nodes.

[main]
# AD authentication settings
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm 
activeDirectoryRealm.url = ldap://adhost.org.hortonworks.com:389 
activeDirectoryRealm.searchBase = DC=org,DC=hortonworks,DC=com 

# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = *

[urls]
# authentication method and access control filters
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc