Configuring Apache Zeppelin Security
Also available as:

Configuring Authentication for Production Using LDAP

Use the following steps to configure Apache Zeppelin for LDAP in production environments.

To use any form of LDAP other than AD, complete the steps in this section.


Zeppelin currently uses LDAP Bind requests to authenticate end users; it does not support the LDAP compare operation.

  1. Secure the HTTP channel.

    In the [urls] section of of shiro.ini contents, uncomment the line /** = authc, and comment out the line /** = anon (to disable anonymous access):

    /api/version = anon
    #/** = anon
    /** = authc

    Note: The [urls] section is processed from top to bottom; earlier statements have precedence. If you have two conflicting lines, the first is honored.

  2. In the [main] section of shiro.ini contents, enable ldapRealm and modify the following settings for your operating environment. For clusters managed by Ambari, update shiro_ini_content; for non-Ambari clusters, update the shiro.ini file.

    Note that there are two types of directory references: those that refer to the LDAP database, and those that refer to user accounts and groups. The domain information can differ between the two.

    # authentication settings
    ldapRealm = org.apache.zeppelin.realm.LdapRealm 
    ldapRealm.contextFactory.environment[ldap.searchBase] = DC=<user-second-level-domain>,DC=<user-top-level-domain> 
    ldapRealm.userDnTemplate = uid={0},OU=<user-account>,DC=<user-second-level-domain>,DC=<user-top-level-domain> 
    ldapRealm.contextFactory.url = ldap://<ldap-domain>:389 
    ldapRealm.contextFactory.authenticationMechanism = simple
    # general settings
    sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
    cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
    securityManager.cacheManager = $cacheManager 
    securityManager.sessionManager = $sessionManager 
    securityManager.sessionManager.globalSessionTimeout = 86400000
    shiro.loginUrl = /api/login
  3. [Optional]: Zeppelin supports connections to LDAP over SSL. To force Zeppelin to make an SSL connection to LDAP, change the contextFactory.url value from ldap to ldaps and specify the LDAP SSL port; for example:
    ldapRealm.contextFactory.url = ldaps://

    If LDAP is using a self-signed certificate, import the certificate into the truststore of JVM running Zeppelin:

    echo -n | openssl s_client –connect | \
        sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt 
    keytool –import \
        -keystore $JAVA_HOME/jre/lib/security/cacerts \
        -storepass changeit \
        -noprompt \
        -alias mycert \
        -file /tmp/examplecert.crt
  4. Secure the Websocket channel.

    On an Ambari-managed cluster, set zeppelin.anonymous.allowed to false.

    On a cluster not managed by Ambari, edit the conf/zeppelin-site.xml file. Set zeppelin.anonymous.allowed to false. (If the file does not exist, rename conf/zeppelin-site.xml.template to conf/zeppelin-site.xml.)

  5. Restart the Zeppelin server using Ambari or, for a cluster not managed by Ambari, manually restart the Zeppelin server:
    ./bin/ restart