question Zeppelin security : Issues while securing Zeppelin UI in Archives of Support Questions (Read Only)

Zeppelin security : Issues while securing Zeppelin UI

kaliyugantagoni — Fri, 09 Sep 2016 05:06:36 GMT

HDP-2.4.2.0-258 installed using Ambari 2.2.2.0

I installed Zeppelin(0.6.0.2.4.2.0-258)manually and was able to execute several paragraphs in a notebook.

Now I wish to secure it step-by-step, starting with the authentication for the web UI, integrated with LDAP i.e when a user enters his credentials after hitting http://<zeppelin_server_hostname>:9995/, he can proceed only if he is present in at least one of the several Unix LDAP groups as follows :

devdatalakeadm

datascientist

developer

I tried the ways mentioned in the Hortonworks article, Hortonworks Zeppelin tutorial, Apache Zeppelin doc. etc. but getting some or the other error, currently, I am focusing on just one LDAP group.

The conf/shiro.ini file :

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
#admin = password1
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
#ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.contextFactory.environment[ldap.searchBase]=dc=company,dc=SE
ldapRealm.userDnTemplate = uid={0},CN=devadmin,ou=Group,dc=company,dc=SE
ldapRealm.contextFactory.url = ldap://unix-ldap.company.com:389
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
shiro.loginUrl = /api/login
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/** = anon
/** = authcBasic

For the ldapRealm, if I provide org.apache.zeppelin.server.LdapGroupRealm, I get the following error and Zeppelin fails to start

ERROR [2016-09-05 14:26:14,996] ({main} ZeppelinServer.java[main]:117) - Error while running jettyServer
org.apache.shiro.config.ConfigurationException: Unable to instantiate class [org.apache.zeppelin.server.LdapGroupRealm] for object named 'ldapRealm'.  Please ensure you've specified the fully qualified class name correctly.
at org.apache.shiro.config.ReflectionBuilder.createNewInstance(ReflectionBuilder.java:151)
at org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:119)
at org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:161)
at org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:124)
at org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:102)
at org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:88)
at org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:46)
at org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:123)
at org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
at org.apache.shiro.web.env.IniWebEnvironment.createWebSecurityManager(IniWebEnvironment.java:203)
at org.apache.shiro.web.env.IniWebEnvironment.configure(IniWebEnvironment.java:99)
at org.apache.shiro.web.env.IniWebEnvironment.init(IniWebEnvironment.java:92)
at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:45)
at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:40)
at org.apache.shiro.web.env.EnvironmentLoader.createEnvironment(EnvironmentLoader.java:221)
at org.apache.shiro.web.env.EnvironmentLoader.initEnvironment(EnvironmentLoader.java:133)
at org.apache.shiro.web.env.EnvironmentLoaderListener.contextInitialized(EnvironmentLoaderListener.java:58)
at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
at org.eclipse.jetty.server.Server.doStart(Server.java:282)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
at org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:115)
Caused by: org.apache.shiro.util.UnknownClassException: Unable to load class named [org.apache.zeppelin.server.LdapGroupRealm] from the thread context, current, or system/application ClassLoaders.  All heuristics have been exhausted.  Class could not be found.
at org.apache.shiro.util.ClassUtils.forName(ClassUtils.java:148)
at org.apache.shiro.util.ClassUtils.newInstance(ClassUtils.java:164)
at org.apache.shiro.config.ReflectionBuilder.createNewInstance(ReflectionBuilder.java:144)
... 29 more

If I use org.apache.shiro.realm.ldap.JndiLdapRealm,

Zeppelin starts successfully
When accessing http://<zeppelin_server_hostname>:9995/, I get an username password prompt in the browser
I enter my credentials and probably the log-in fails as the window reappears
If I cancel instead of entering the username and password, I get the Zeppelin UI(that's crazy !)

The error :

ERROR [2016-09-05 14:29:36,153] ({qtp762227630-30} NotebookServer.java[onMessage]:207) - Can't handle message
java.lang.Exception: Invalid ticket  != 16731c36-4f7e-4dd6-b567-8da934aeecd0
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:113)
at org.apache.zeppelin.socket.NotebookSocket.onMessage(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455$WSFrameHandler.onFrame(WebSocketConnectionRFC6455.java:835)
at org.eclipse.jetty.websocket.WebSocketParserRFC6455.parseNext(WebSocketParserRFC6455.java:349)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455.handle(WebSocketConnectionRFC6455.java:225)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)
ERROR [2016-09-05 14:29:36,159] ({qtp762227630-34} NotebookServer.java[onMessage]:207) - Can't handle message
java.lang.Exception: Invalid ticket  != 16731c36-4f7e-4dd6-b567-8da934aeecd0
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:113)
at org.apache.zeppelin.socket.NotebookSocket.onMessage(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455$WSFrameHandler.onFrame(WebSocketConnectionRFC6455.java:835)
at org.eclipse.jetty.websocket.WebSocketParserRFC6455.parseNext(WebSocketParserRFC6455.java:349)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455.handle(WebSocketConnectionRFC6455.java:225)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)
ERROR [2016-09-05 14:29:46,150] ({qtp762227630-30} NotebookServer.java[onMessage]:207) - Can't handle message
java.lang.Exception: Invalid ticket  != 16731c36-4f7e-4dd6-b567-8da934aeecd0
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:113)
at org.apache.zeppelin.socket.NotebookSocket.onMessage(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455$WSFrameHandler.onFrame(WebSocketConnectionRFC6455.java:835)
at org.eclipse.jetty.websocket.WebSocketParserRFC6455.parseNext(WebSocketParserRFC6455.java:349)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455.handle(WebSocketConnectionRFC6455.java:225)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)
ERROR [2016-09-05 14:29:56,150] ({qtp762227630-31} NotebookServer.java[onMessage]:207) - Can't handle message
java.lang.Exception: Invalid ticket  != 16731c36-4f7e-4dd6-b567-8da934aeecd0
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:113)
at org.apache.zeppelin.socket.NotebookSocket.onMessage(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455$WSFrameHandler.onFrame(WebSocketConnectionRFC6455.java:835)
at org.eclipse.jetty.websocket.WebSocketParserRFC6455.parseNext(WebSocketParserRFC6455.java:349)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455.handle(WebSocketConnectionRFC6455.java:225)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)
ERROR [2016-09-05 14:30:06,151] ({qtp762227630-29} NotebookServer.java[onMessage]:207) - Can't handle message
java.lang.Exception: Invalid ticket  != 16731c36-4f7e-4dd6-b567-8da934aeecd0
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:113)
at org.apache.zeppelin.socket.NotebookSocket.onMessage(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455$WSFrameHandler.onFrame(WebSocketConnectionRFC6455.java:835)
at org.eclipse.jetty.websocket.WebSocketParserRFC6455.parseNext(WebSocketParserRFC6455.java:349)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455.handle(WebSocketConnectionRFC6455.java:225)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)
ERROR [2016-09-05 14:30:16,151] ({qtp762227630-32} NotebookServer.java[onMessage]:207) - Can't handle message
java.lang.Exception: Invalid ticket  != 16731c36-4f7e-4dd6-b567-8da934aeecd0
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:113)
at org.apache.zeppelin.socket.NotebookSocket.onMessage(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455$WSFrameHandler.onFrame(WebSocketConnectionRFC6455.java:835)
at org.eclipse.jetty.websocket.WebSocketParserRFC6455.parseNext(WebSocketParserRFC6455.java:349)
at org.eclipse.jetty.websocket.WebSocketConnectionRFC6455.handle(WebSocketConnectionRFC6455.java:225)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)

********************EDIT-1 : New Zeppelin version(zeppelin-0.6.1-bin-all.tgz)********************

I am running the new version on the same machine as Ambari and the existing/older Zeppelin version.

In spite of entering the valid credentials, I get an LDAP authentication exception :

INFO [2016-09-08 11:46:05,017] ({main} Log.java[initialized]:186) - Logging initialized @356ms
 INFO [2016-09-08 11:46:05,089] ({main} ZeppelinServer.java[setupWebAppContext]:266) - ZeppelinServer Webapp path: /usr/share/dumphere/installhere/zeppelin-0.6.1-bin-all/webapps
 INFO [2016-09-08 11:46:05,301] ({main} AuthorizingRealm.java[getAuthorizationCacheLazy]:248) - No cache or cacheManager properties have been set.  Authorization cache cannot be obtained.
 INFO [2016-09-08 11:46:05,345] ({main} ZeppelinServer.java[main]:114) - Starting zeppelin server
 INFO [2016-09-08 11:46:05,349] ({main} Server.java[doStart]:327) - jetty-9.2.15.v20160210
 INFO [2016-09-08 11:46:05,515] ({main} StandardDescriptorProcessor.java[visitServlet]:297) - NO JSP Support for /, did not find org.eclipse.jetty.jsp.JettyJspServlet
 INFO [2016-09-08 11:46:05,529] ({main} ContextHandler.java[log]:2052) - Initializing Shiro environment
 INFO [2016-09-08 11:46:05,529] ({main} EnvironmentLoader.java[initEnvironment]:128) - Starting Shiro environment initialization.
 INFO [2016-09-08 11:46:05,591] ({main} AuthorizingRealm.java[getAuthorizationCacheLazy]:248) - No cache or cacheManager properties have been set.  Authorization cache cannot be obtained.
 INFO [2016-09-08 11:46:05,596] ({main} EnvironmentLoader.java[initEnvironment]:141) - Shiro environment initialized in 67 ms.
 WARN [2016-09-08 11:46:05,601] ({main} ServletHolder.java[getNameOfJspClass]:923) - Unable to make identifier for jsp rest trying rest instead
ERROR [2016-09-08 11:46:05,819] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:05,820] ({main} InterpreterFactory.java[init]:154) - Interpreter alluxio.alluxio found. class=org.apache.zeppelin.alluxio.AlluxioInterpreter
ERROR [2016-09-08 11:46:05,825] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:05,825] ({main} InterpreterFactory.java[init]:154) - Interpreter angular.angular found. class=org.apache.zeppelin.angular.AngularInterpreter
 INFO [2016-09-08 11:46:05,862] ({main} InterpreterFactory.java[init]:154) - Interpreter bigquery.sql found. class=org.apache.zeppelin.bigquery.BigQueryInterpreter
 INFO [2016-09-08 11:46:05,895] ({main} CassandraInterpreter.java[<clinit>]:155) - Bootstrapping Cassandra Interpreter
ERROR [2016-09-08 11:46:05,896] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:05,896] ({main} InterpreterFactory.java[init]:154) - Interpreter cassandra.cassandra found. class=org.apache.zeppelin.cassandra.CassandraInterpreter
ERROR [2016-09-08 11:46:05,933] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:05,934] ({main} InterpreterFactory.java[init]:154) - Interpreter elasticsearch.elasticsearch found. class=org.apache.zeppelin.elasticsearch.ElasticsearchInterpreter
ERROR [2016-09-08 11:46:05,948] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:05,948] ({main} InterpreterFactory.java[init]:154) - Interpreter file.hdfs found. class=org.apache.zeppelin.file.HDFSFileInterpreter
 INFO [2016-09-08 11:46:06,007] ({main} InterpreterFactory.java[init]:154) - Interpreter flink.flink found. class=org.apache.zeppelin.flink.FlinkInterpreter
ERROR [2016-09-08 11:46:06,072] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,072] ({main} InterpreterFactory.java[init]:154) - Interpreter hbase.hbase found. class=org.apache.zeppelin.hbase.HbaseInterpreter
ERROR [2016-09-08 11:46:06,103] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,103] ({main} InterpreterFactory.java[init]:154) - Interpreter ignite.ignite found. class=org.apache.zeppelin.ignite.IgniteInterpreter
ERROR [2016-09-08 11:46:06,104] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,104] ({main} InterpreterFactory.java[init]:154) - Interpreter ignite.ignitesql found. class=org.apache.zeppelin.ignite.IgniteSqlInterpreter
 INFO [2016-09-08 11:46:06,122] ({main} InterpreterFactory.java[init]:154) - Interpreter jdbc.sql found. class=org.apache.zeppelin.jdbc.JDBCInterpreter
ERROR [2016-09-08 11:46:06,131] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,132] ({main} InterpreterFactory.java[init]:154) - Interpreter kylin.kylin found. class=org.apache.zeppelin.kylin.KylinInterpreter
ERROR [2016-09-08 11:46:06,188] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,189] ({main} InterpreterFactory.java[init]:154) - Interpreter lens.lens found. class=org.apache.zeppelin.lens.LensInterpreter
ERROR [2016-09-08 11:46:06,212] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,212] ({main} InterpreterFactory.java[init]:154) - Interpreter livy.spark found. class=org.apache.zeppelin.livy.LivySparkInterpreter
ERROR [2016-09-08 11:46:06,216] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,216] ({main} InterpreterFactory.java[init]:154) - Interpreter livy.pyspark found. class=org.apache.zeppelin.livy.LivyPySparkInterpreter
ERROR [2016-09-08 11:46:06,217] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,217] ({main} InterpreterFactory.java[init]:154) - Interpreter livy.sparkr found. class=org.apache.zeppelin.livy.LivySparkRInterpreter
 INFO [2016-09-08 11:46:06,218] ({main} InterpreterFactory.java[init]:154) - Interpreter livy.sql found. class=org.apache.zeppelin.livy.LivySparkSQLInterpreter
ERROR [2016-09-08 11:46:06,222] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,222] ({main} InterpreterFactory.java[init]:154) - Interpreter md.md found. class=org.apache.zeppelin.markdown.Markdown
ERROR [2016-09-08 11:46:06,232] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,233] ({main} InterpreterFactory.java[init]:154) - Interpreter psql.sql found. class=org.apache.zeppelin.postgresql.PostgreSqlInterpreter
ERROR [2016-09-08 11:46:06,240] ({main} Interpreter.java[register]:315) - Static initialization is deprecated. You should change it to use interpreter-setting.json in your jar or interpreter/{interpreter}/interpreter-setting.json
 INFO [2016-09-08 11:46:06,240] ({main} InterpreterFactory.java[init]:154) - Interpreter python.python found. class=org.apache.zeppelin.python.PythonInterpreter
 INFO [2016-09-08 11:46:06,248] ({main} InterpreterFactory.java[init]:154) - Interpreter sh.sh found. class=org.apache.zeppelin.shell.ShellInterpreter
 INFO [2016-09-08 11:46:06,413] ({main} InterpreterFactory.java[init]:154) - Interpreter spark.spark found. class=org.apache.zeppelin.spark.SparkInterpreter
 INFO [2016-09-08 11:46:06,415] ({main} InterpreterFactory.java[init]:154) - Interpreter spark.pyspark found. class=org.apache.zeppelin.spark.PySparkInterpreter
 INFO [2016-09-08 11:46:06,418] ({main} InterpreterFactory.java[init]:154) - Interpreter spark.r found. class=org.apache.zeppelin.spark.SparkRInterpreter
 INFO [2016-09-08 11:46:06,419] ({main} InterpreterFactory.java[init]:154) - Interpreter spark.sql found. class=org.apache.zeppelin.spark.SparkSqlInterpreter
 INFO [2016-09-08 11:46:06,420] ({main} InterpreterFactory.java[init]:154) - Interpreter spark.dep found. class=org.apache.zeppelin.spark.DepInterpreter
 INFO [2016-09-08 11:46:06,437] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group angular : id=2BVXP3PZM, name=angular
 INFO [2016-09-08 11:46:06,437] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group md : id=2BUZ75MW2, name=md
 INFO [2016-09-08 11:46:06,437] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group alluxio : id=2BVFEWB5S, name=alluxio
 INFO [2016-09-08 11:46:06,437] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group psql : id=2BX5GS8CM, name=psql
 INFO [2016-09-08 11:46:06,438] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group jdbc : id=2BUTPYPSJ, name=jdbc
 INFO [2016-09-08 11:46:06,438] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group lens : id=2BVRSAGY7, name=lens
 INFO [2016-09-08 11:46:06,438] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group hbase : id=2BXPDVZ2D, name=hbase
 INFO [2016-09-08 11:46:06,438] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group cassandra : id=2BXZM149V, name=cassandra
 INFO [2016-09-08 11:46:06,438] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group kylin : id=2BW73AW1W, name=kylin
 INFO [2016-09-08 11:46:06,438] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group elasticsearch : id=2BX4SVYDE, name=elasticsearch
 INFO [2016-09-08 11:46:06,438] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group python : id=2BWU8NAJN, name=python
 INFO [2016-09-08 11:46:06,439] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group livy : id=2BUY5977F, name=livy
 INFO [2016-09-08 11:46:06,439] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group flink : id=2BWKEGFMT, name=flink
 INFO [2016-09-08 11:46:06,439] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group ignite : id=2BWT4SB6V, name=ignite
 INFO [2016-09-08 11:46:06,439] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group spark : id=2BXJ91NCU, name=spark
 INFO [2016-09-08 11:46:06,439] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group sh : id=2BXD1EJ7Q, name=sh
 INFO [2016-09-08 11:46:06,439] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group bigquery : id=2BVY56RAA, name=bigquery
 INFO [2016-09-08 11:46:06,439] ({main} InterpreterFactory.java[init]:218) - Interpreter setting group file : id=2BW4YR6DA, name=file
 INFO [2016-09-08 11:46:06,452] ({main} VfsLog.java[info]:138) - Using "/tmp/vfs_cache" as temporary files store.
 INFO [2016-09-08 11:46:06,599] ({main} NotebookAuthorization.java[loadFromFile]:58) - /usr/share/dumphere/installhere/zeppelin-0.6.1-bin-all/conf/notebook-authorization.json
 INFO [2016-09-08 11:46:06,600] ({main} Credentials.java[loadFromFile]:71) - /usr/share/dumphere/installhere/zeppelin-0.6.1-bin-all/conf/credentials.json
 INFO [2016-09-08 11:46:06,628] ({main} StdSchedulerFactory.java[instantiate]:1184) - Using default implementation for ThreadExecutor
 INFO [2016-09-08 11:46:06,630] ({main} SimpleThreadPool.java[initialize]:268) - Job execution threads will use class loader of thread: main
 INFO [2016-09-08 11:46:06,642] ({main} SchedulerSignalerImpl.java[<init>]:61) - Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl
 INFO [2016-09-08 11:46:06,643] ({main} QuartzScheduler.java[<init>]:240) - Quartz Scheduler v.2.2.1 created.
 INFO [2016-09-08 11:46:06,644] ({main} RAMJobStore.java[initialize]:155) - RAMJobStore initialized.
 INFO [2016-09-08 11:46:06,645] ({main} QuartzScheduler.java[initialize]:305) - Scheduler meta-data: Quartz Scheduler (v2.2.1) 'DefaultQuartzScheduler' with instanceId 'NON_CLUSTERED'
  Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
  NOT STARTED.
  Currently in standby mode.
  Number of jobs executed: 0
  Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
  Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.
 INFO [2016-09-08 11:46:06,645] ({main} StdSchedulerFactory.java[instantiate]:1339) - Quartz scheduler 'DefaultQuartzScheduler' initialized from default resource file in Quartz package: 'quartz.properties'
 INFO [2016-09-08 11:46:06,645] ({main} StdSchedulerFactory.java[instantiate]:1343) - Quartz scheduler version: 2.2.1
 INFO [2016-09-08 11:46:06,645] ({main} QuartzScheduler.java[start]:575) - Scheduler DefaultQuartzScheduler_$_NON_CLUSTERED started.
 INFO [2016-09-08 11:46:06,873] ({main} Notebook.java[<init>]:121) - Notebook indexing started...
 INFO [2016-09-08 11:46:07,113] ({main} LuceneSearch.java[addIndexDocs]:305) - Indexing 3 notebooks took 239ms
 INFO [2016-09-08 11:46:07,113] ({main} Notebook.java[<init>]:123) - Notebook indexing finished: 3 indexed in 0s
 INFO [2016-09-08 11:46:07,227] ({main} ServerImpl.java[initDestination]:94) - Setting the server's publish address to be /
 INFO [2016-09-08 11:46:07,876] ({main} ContextHandler.java[doStart]:744) - Started o.e.j.w.WebAppContext@4c6e276e{/,file:/usr/share/dumphere/installhere/zeppelin-0.6.1-bin-all/webapps/webapp/,AVAILABLE}{/usr/share/dumphere/installhere/zeppelin-0.6.1-bin-all/zeppelin-web-0.6.1.war}
 INFO [2016-09-08 11:46:07,887] ({main} AbstractConnector.java[doStart]:266) - Started ServerConnector@433348bc{HTTP/1.1}{l4373t.sss.se.com:9996}
 INFO [2016-09-08 11:46:07,887] ({main} Server.java[doStart]:379) - Started @3230ms
 INFO [2016-09-08 11:46:07,887] ({main} ZeppelinServer.java[main]:121) - Done, zeppelin server started
 INFO [2016-09-08 11:46:08,116] ({qtp754666084-13} NotebookServer.java[onOpen]:97) - New connection from 10.254.70.164 : 57165
 INFO [2016-09-08 11:46:12,553] ({qtp754666084-16} NotebookServer.java[onClose]:227) - Closed connection to 10.254.70.164 : 57165. (1001) null
 INFO [2016-09-08 11:46:13,178] ({qtp754666084-16} AbstractValidatingSessionManager.java[enableSessionValidation]:230) - Enabling session validation scheduler...
 WARN [2016-09-08 11:46:13,225] ({qtp754666084-18} JAXRSUtils.java[findTargetMethod]:499) - No operation matching request path "/api/login;JSESSIONID=26181c87-1e79-4686-b406-f745bce776e4" is found, Relative Path: /, HTTP Method: GET, ContentType: */*, Accept: application/json,text/plain,*/*,. Please enable FINE/TRACE log level for more details.
 WARN [2016-09-08 11:46:13,227] ({qtp754666084-18} WebApplicationExceptionMapper.java[toResponse]:73) - javax.ws.rs.ClientErrorException
at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503)
at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:227)
at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:103)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:575)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
 INFO [2016-09-08 11:46:13,279] ({qtp754666084-14} NotebookServer.java[onOpen]:97) - New connection from 10.254.70.164 : 57172
ERROR [2016-09-08 11:46:21,706] ({qtp754666084-14} LoginRestApi.java[postLogin]:103) - Exception in login: 
org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:300)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:76)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.apache.shiro.realm.ldap.JndiLdapContextFactory.createLdapContext(JndiLdapContextFactory.java:508)
at org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(JndiLdapContextFactory.java:495)
at org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:375)
at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
... 64 more
 WARN [2016-09-08 11:46:21,713] ({qtp754666084-14} LoginRestApi.java[postLogin]:111) - {"status":"FORBIDDEN","message":"","body":""}

The shiro.ini file, please note the following :

I have entirely commented the [users] and [roles]
For 'ldapRealm.userDnTemplate', it's immaterial whether I use uid={0} or CN={0}
I'm assuming(as per the original requirement) that the group where the provided credentials must be searched is provided as a value to 'ldapRealm.userDnTemplate'. Is it that the LDAP groups must have a different key ?

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
#admin = go4zeppelin
#hanny = hannyuseszeppelin, role1 
#henrik = henrikuseszeppelin, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = userNameA
#activeDirectoryRealm.systemPassword = passwordA
#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
#activeDirectoryRealm.url = ldap://ldap.test.com:389
#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
#activeDirectoryRealm.authorizationCachingEnabled = false
### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = dc=scompany,dc=SE
ldapRealm.contextFactory.url = ldap://unix-ldap.company.com:389
ldapRealm.userDnTemplate = uid={0},cn=devdatalakeadm,ou=Group,dc=company,dc=se
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
#[roles]
#role1 = *
#role2 = *
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/** = anon
/** = authc

I now wonder if ldap is behaving itself, following is the output of two commands that makes me believe that ldap is NOT able to check if a particular user, say ojoqcu, belongs to a ldap group :

If I query just for the user, all his membership groups are returned :

ldapsearch -h unix-ldap.company.com -p 389 -x -b "dc=company,dc=SE" "(&(cn=*)(memberUid=ojoqcu))"
# extended LDIF
#
# LDAPv3
# base <dc=company,dc=SE> with scope subtree
# filter: (&(cn=*)(memberUid=ojoqcu))
# requesting: ALL
#
# datalake, Group, company.se
dn: cn=datalake,ou=Group,dc=company,dc=se
objectClass: posixGroup
description: company Data Lake
gidNumber: 5019
cn: datalake
memberUid: hbrdmv
memberUid: ojoqcu
memberUid: ssserz
memberUid: sssktw
memberUid: sssjtz
memberUid: tekzn7
# devdatalakeadm, Group, company.se
dn: cn=devdatalakeadm,ou=Group,dc=company,dc=se
objectClass: posixGroup
description: Data Lake Admins
gidNumber: 14000
cn: devdatalakeadm
memberUid: hbrdmv
memberUid: ojoqcu
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

but if I try to check if the user is part of group, no entries returned :

ldapsearch -h unix-ldap.company.com -p 389 -x -b "dc=company,dc=SE" "(&(cn=devdatalakeadm,ou=Group,dc=company,dc=se)(memberUid=ojoqcu))"
# extended LDIF
#
# LDAPv3
# base <dc=company,dc=SE> with scope subtree
# filter: (&(cn=devdatalakeadm,ou=Group,dc=company,dc=se)(memberUid=ojoqcu))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1

What could be the root cause ?

Re: Zeppelin security : Issues while securing Zeppelin UI

WhiteHa — Fri, 09 Sep 2016 05:06:37 GMT

@Kaliyug Antagonist HDP 2.4.0 has Zeppelin Tech Preview only, this issue can not be found in Zeppelin with HDP 2.5.0 which is the version officially supported.

Re: Zeppelin security : Issues while securing Zeppelin UI

aanghel — Fri, 09 Sep 2016 05:06:37 GMT

You should really install a newer Zeppelin version as there have been quite a few changes and enhancements in terms of security. I wouldn't advise trying security with that old Zeppelin version.

The 0.6.0.2.4.2.0-258 from the HDP2.4.2 repo doesn't come with the org.apache.zeppelin.server.LdapGroupRealm class so you won't be able to use it (the error you receive is absolutely normal).

If you don't want to upgrade to HDP2.5 you can at least manually compile 0.6.2 from https://github.com/apache/zeppelin/tree/branch-0.6:

git clone https://github.com/apache/zeppelin.git -b branch-0.6 
cd zeppelin/ 
mvn clean package -DskipTests -Pspark-1.6 -Phadoop-2.6 -Dhadoop.version=2.7.1

If you get the UI when you cancel the login, that's probably because anonymous is still allowed, so set zeppelin.anonymous.allowed to false in conf/zeppelin-site.xml

Lastly, as a curiosity, I tried 0.6.0.2.4.2.0-258 from HDP2.4.2 with ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm and it works just fine, even if I sometimes get the Invalid ticket error in the logs.

Your LDAP layout might be different and the shiro config wrong.

Are you sure the userDN is uid={0} and not CN={0}?

Are you sure the users are in the ou=Group,dc=company,dc=SE baseDN?

Usually groups are just other entries in the LDAP and the group membership is controlled by member attribute rather than putting users in Group subtrees.

Re: Zeppelin security : Issues while securing Zeppelin UI

kaliyugantagoni — Fri, 09 Sep 2016 05:06:38 GMT

Yeah I read about that but does that mean that with HDP 2.4, Zeppelin cannot be secured in the way I am trying to ? Can Hue or some other component help ?

Re: Zeppelin security : Issues while securing Zeppelin UI

kaliyugantagoni — Fri, 09 Sep 2016 05:06:38 GMT

@Alexandru Anghel

For now, I wish to continue with the existing versions but I will try the Zeppelin 0.6.2.

Well, I discovered several facts :

On canceling the log-in, the UI is seen but it shows a 'Login' button on the top right corner
I had NOT created any conf/zeppelin-site.xml, a template file exists there, though
I tried using ldapRealm.userDnTemplate=CN={0},CN=devadmin,ou=Group,dc=company,dc=SE but the same result

Is there any way the exact cause/error can be captured(the Zeppelin log errors I have already provided) ?

Re: Zeppelin security : Issues while securing Zeppelin UI

aanghel — Fri, 09 Sep 2016 05:06:39 GMT

1. Yes, this means anonymous has been allowed access

2. make a copy cp conf/zeppelin-site.xml.template conf/zeppelin-site.xml, edit the file and set that variable to false

3. When I put the wrong userDnTemplate, I get the following, so it's something to look for in the logs:

LoginRestApi.java[postLogin]:99) - Exception in login:
org.apache.shiro.authc.AuthenticationException: Authentication token of type [class org.apache.shiro.authc.UsernamePasswordToken] could not be authenticated by any configured realms.  Please ensure that at least one realm can authenticate these tokens.

But really, you should get the right LDAP template, it might not be a problem with CN or uid, but a problem with the path (for example, the user might be in ldapRealm.userDnTemplate=CN={0},ou=Users,dc=company,dc=SE, not ou=Group,dc=company,dc=SE)

How do you use this LDAP in other projects / apps?

Run ldapsearch on it:

ldapsearch -h unix-ldap.company.com -p 389 -x -b "dc=company,dc=SE"

(although you might not be allowed to bind anonymously).

Ask your LDAP admin, etc

Good luck!

Re: Zeppelin security : Issues while securing Zeppelin UI

kaliyugantagoni — Fri, 09 Sep 2016 05:06:40 GMT

@Alexandru Anghel

I have edited(********************EDIT-1 : New Zeppelin version(zeppelin-0.6.1-bin-all.tgz)********************) my original question to include the progress and the new issue faced after installing the latest stable version of Zeppelin (0.6.1)

(may need some time to reflect as it's under moderation)

Re: Zeppelin security : Issues while securing Zeppelin UI

aanghel — Fri, 09 Sep 2016 16:20:16 GMT

1) What could be the root cause ?

I think it's just the wrong ldapsearch filter, should be ldapsearch -h unix-ldap.company.com -p 389-x -b "dc=company,dc=SE""(&(cn=devdatalakeadm)(memberUid=ojoqcu))"

cn=devdatalakeadm,ou=Group,dc=company,dc=se is actually the full dn and you cannot search on it as it's not an attribute.

2) Your problem is still the userDnTemplate, that's why you're still getting the LDAP authentication exception

ldapRealm.userDnTemplate = uid={0},cn=devdatalakeadm,ou=Group,dc=company,dc=se

Why are you trying to search the user inside the cn=devdatalakeadm subtree?

That's not how users and groups are represented in LDAP (unless you did something very specific).

Users and Groups are normally in separate trees and membership is only decided by the memberUid parameter in your case.

But if memberUid is ojoqcu it doesn't mean uid=ojoqcu,cn=devdatalakeadm,ou=Group,dc=company,dc=se actually exist, ojoqcu user could be in a separate tree/ou, like uid=ojoqcu,ou=User,dc=company,dc=se

To further help you finding out the correct userDnTemplate, I'd need an ldapsearch output for a user, just like you showed for groups.