Cloudera Docs » 2.5.3 » Apache Zeppelin Component Guide
Apache Zeppelin Component Guide
Also available as:
PDF

Configuring Authentication for Production Using LDAP

To use any form of LDAP other than AD, complete the steps in this section.

Note: Zeppelin currently uses LDAP Bind requests to authenticate end users; it does not support the LDAP compare operation.

The following steps describe basic settings. For more information about these and additional settings, see Shiro Settings: Reference and Shiro authentication for Apache Zeppelin.

  1. Secure the HTTP channel.

    In the [urls] section of of shiro.ini contents, uncomment the line /** = authc, and comment out the line /** = anon (to disable anonymous access):

    [urls]
/api/version = anon
#/** = anon
/** = authc

    Note: The [urls] section is processed from top to bottom; earlier statements have precedence. If you have two conflicting lines, the first is honored.

  2. In the [main] section of shiro.ini contents, enable ldapRealm and modify the following settings for your operating environment. For clusters managed by Ambari, update shiro_ini_content; for non-Ambari clusters, update the shiro.ini file.

    Note that there are two types of directory references: those that refer to the LDAP database, and those that refer to user accounts and groups. The domain information can differ between the two.

    [main]

# authentication settings
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm 
ldapRealm.contextFactory.environment[ldap.searchBase] = DC=<user-second-level-domain>,DC=<user-top-level-domain> 
ldapRealm.userDnTemplate = uid={0},OU=<user-account>,DC=<user-second-level-domain>,DC=<user-top-level-domain> 
ldapRealm.contextFactory.url = ldap://<ldap-domain>:389 
ldapRealm.contextFactory.authenticationMechanism = simple

# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

  3. Optional: Zeppelin supports connections to LDAP over SSL. To force Zeppelin to make an SSL connection to LDAP, change the contextFactory.url value from ldap to ldaps and specify the LDAP SSL port; for example:

    ldapRealm.contextFactory.url = ldaps://hdp.example.com:636

    If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin:

    echo -n | openssl s_client –connect ldap.example.com:389 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt  
keytool –import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt

  4. Secure the Websocket channel.

    On an Ambari-managed cluster, navigate to the "Advanced zeppelin-config" section and set zeppelin.anonymous.allowed to false.

    On a cluster not managed by Ambari, edit the conf/zeppelin-site.xml file. Set zeppelin.anonymous.allowed to false. (If the file does not exist, rename conf/zeppelin-site.xml.template to conf/zeppelin-site.xml.)

  5. Restart the Zeppelin server using Ambari or, for a cluster not managed by Ambari, manually restart the Zeppelin server:

    ./bin/zeppelin-daemon.sh restart

  6. To use Zeppelin after configuring LDAP authentication:

    1. Open the Zeppelin UI in a new browser tab:

      http://<zeppelin-hostname>:9995

    2. Click the Login button at the top right corner of the page.

    3. In the login dialog box, specify a valid LDAP username and password.

    4. If Zeppelin access to LDAP is configured accurately, Zeppelin presents its home page.

© 2012–2021 by Cloudera, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Cloudera.com | Documentation | Support | Community