Hortonworks Docs » Hortonworks Data Platform 3.1.4 » Configuring Apache Zeppelin Security
Configuring Apache Zeppelin Security
Also available as:
PDF

Configuring Authentication for Production Using LDAP

Use the following steps to configure Apache Zeppelin for LDAP in production environments.

To use any form of LDAP other than AD, complete the steps in this section.

Note
Note

Zeppelin currently uses LDAP Bind requests to authenticate end users; it does not support the LDAP compare operation.

  1. Secure the HTTP channel.

    In the [urls] section of of shiro.ini contents, uncomment the line /** = authc, and comment out the line /** = anon (to disable anonymous access):

    [urls]
/api/version = anon
#/** = anon
/** = authc

    Note: The [urls] section is processed from top to bottom; earlier statements have precedence. If you have two conflicting lines, the first is honored.

  2. In the [main] section of shiro.ini contents, enable ldapRealm and modify the following settings for your operating environment. For clusters managed by Ambari, update shiro_ini_content; for non-Ambari clusters, update the shiro.ini file.

    Note that there are two types of directory references: those that refer to the LDAP database, and those that refer to user accounts and groups. The domain information can differ between the two.

    [main]

# authentication settings
ldapRealm = org.apache.zeppelin.realm.LdapRealm 
ldapRealm.contextFactory.environment[ldap.searchBase] = DC=<user-second-level-domain>,DC=<user-top-level-domain> 
ldapRealm.userDnTemplate = uid={0},OU=<user-account>,DC=<user-second-level-domain>,DC=<user-top-level-domain> 
ldapRealm.contextFactory.url = ldap://<ldap-domain>:389 
ldapRealm.contextFactory.authenticationMechanism = simple

# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login
  3. [Optional]: Zeppelin supports connections to LDAP over SSL. To force Zeppelin to make an SSL connection to LDAP, change the contextFactory.url value from ldap to ldaps and specify the LDAP SSL port; for example: 
    ldapRealm.contextFactory.url = ldaps://hdp.example.com:636

    If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin:

    echo -n | openssl s_client –connect ldap.example.com:389 | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt 
 
keytool –import \
    -keystore $JAVA_HOME/jre/lib/security/cacerts \
    -storepass changeit \
    -noprompt \
    -alias mycert \
    -file /tmp/examplecert.crt
  4. Secure the Websocket channel.

    On an Ambari-managed cluster, set zeppelin.anonymous.allowed to false.

    On a cluster not managed by Ambari, edit the conf/zeppelin-site.xml file. Set zeppelin.anonymous.allowed to false. (If the file does not exist, rename conf/zeppelin-site.xml.template to conf/zeppelin-site.xml.)

  5. Restart the Zeppelin server using Ambari or, for a cluster not managed by Ambari, manually restart the Zeppelin server: 
    ./bin/zeppelin-daemon.sh restart
© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community