Configuring Apache Zeppelin Security
Also available as:
PDF

Getting Started

Use the following steps to begin configuring Apache Zeppelin security.

To use LDAP or Active Directory (AD) as the identity store, LDAP or AD must be installed and running on your cluster. You will need LDAP or AD coordinates to configure them for use with Zeppelin. In addition, the associated user accounts must be defined on your Zeppelin nodes.

Configure Security on an Ambari-Managed Cluster

If your cluster is managed by Ambari, navigate to the Configs tab and edit settings in the "Advanced zeppelin-env", "Advanced zeppelin-config", "zeppelin-log4j-properties" and "zeppelin-shiro-ini" sections, as described in following subsections.

Changes to shiro_ini_content require restarting the Zeppelin server. Ambari indicates this with a warning, and offers a menu option to restart Zeppelin.

Configure Security on a non-Ambari Cluster

If your cluster is not managed by Ambari:

  1. Locate the shiro.ini template file in the Zeppelin /conf folder:

    /usr/hdp/current/zeppelin-server/conf/shiro.ini.template.

  2. Copy the template file as shiro.ini:

    /usr/hdp/current/zeppelin-server/conf/shiro.ini

  3. Edit the shiro.ini file as described in the following subsections.
  4. After editing the shiro.ini file, restart the Zeppelin server:
    ./bin/zeppelin-daemon.sh restart

shiro.ini Structure

The shiro_ini_content property (Ambari) and shiro.ini file (non-Ambari) contain several sections for configuring authentication:

  • [main], which contains definitions for LDAP or Active Directory objects and properties.

  • [users], which can be used to specify user accounts and passwords for simple deployments that do not require secure passwords, and require only a small number of statically-defined accounts.

  • [roles], for defining roles associated with access control.

  • [urls], for configuring URL-based security. For Zepplin, the [urls] section is used to specify authentication method and define access control filters.