Configuring Authentication for Production Using Active Directory
To enable AD authentication, complete the following steps.
Note: Zeppelin currently uses Bind requests to
authenticate end users; it does not support the LDAP compare operation.
The following steps describe basic settings. For more information about these and other settings, see Shiro Settings: Reference and Shiro authentication for Apache Zeppelin.
Secure the HTTP channel.
In the
[urls]section ofshiro.inicontents, uncomment the line/** = authcand comment out the line/** = anon(to disable anonymous access):[urls] /api/version = anon #/** = anon /** = authc
Note: The
[urls]section is processed from top to bottom; earlier statements have precedence. If you have two conflicting lines, the first is honored.In the
[main]section ofshiro.inicontents, enableactiveDirectoryRealmand modify the following settings for your operating environment. For clusters managed by Ambari, updateshiro_ini_content; for non-Ambari clusters, update theshiro.inifile.Note that there are two types of directory references, those that refer to the AD database, and those that refer to user accounts and groups. Domain information can differ between the two.
[main] # authentication settings activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm activeDirectoryRealm.url = ldap://<ldap-domain>:389 activeDirectoryRealm.searchBase = DC=<user-org-level-domain>,DC=<user-second-level-domain>,DC=<user-top-level-domain> # general settings sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login
Optional: Zeppelin supports connections to AD over SSL. To force Zeppelin to make an SSL connection to AD, change the value of
activeDirectoryRealm.urlfromldaptoldapsand specify the AD SSL port; for example:activeDirectoryRealm.url = ldaps://hdp.example.com:636
If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin:
echo -n | openssl s_client –connect ldap.example.com:389 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt keytool –import \ -keystore $JAVA_HOME/jre/lib/security/cacerts \ -storepass changeit \ -noprompt \ -alias mycert \ -file /tmp/examplecert.crtSecure the Websocket channel.
On an Ambari-managed cluster, navigate to the "Advanced zeppelin-config" section and set
zeppelin.anonymous.allowedto false.HDP 2.6: check categoryOn a cluster not managed by Ambari, edit the
conf/zeppelin-site.xmlfile. Setzeppelin.anonymous.allowedtofalse. (If the file does not exist, renameconf/zeppelin-site.xml.templatetoconf/zeppelin-site.xml, and then editzeppelin-site.xml.)Optional: If you want to keep clear passwords from appearing in
shiro.ini, complete the following steps:At your OS command line interface, use the Hadoop
credentialcommand to create an entry for the Active Directory credential:> hadoop credential create activeDirectoryRealm.systemPassword -provider jceks:///etc/zeppelin/conf/credentials.jceks Enter password: Enter password again: activeDirectoryRealm.systemPassword has been successfully created. org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
Using
chmod 400, make thecredentials.jceksfile readable and writable only by the Zeppelin system user.Add the following line to
shiro.inicontents:activeDirectoryRealm.systemPassword -provider jceks://etc/zeppelin/conf/credentials.jceks
Restart the Zeppelin server using Ambari or, for a cluster not managed by Ambari, manually restart the Zeppelin server:
./bin/zeppelin-daemon.sh restart
After successful configuration, Zeppelin requires credentials before allowing users to access the Web UI.
Note: Unless
activeDirectoryRealm.principalSuffix is specified, users must fully qualify
their account name:
ad-username@AD.DOMAIN.COM