Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

deepak.subhramanian — Fri, 11 Nov 2016 00:14:30 GMT

We are looking at setting up Zeppelin on top of Livy Server. Does the following settings pass also the kerberos authentication information.

<property>
    <name>hadoop.proxyuser.livy.groups</name>
    <value>*</value>
</property>

<property>
    <name>hadoop.proxyuser.livy.hosts</name>
    <value>*</value>
</property>

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_zeppelin-component-guide/content/install-livy.html

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

azeltov — Fri, 11 Nov 2016 02:15:06 GMT

Hi Deepak, see my how-to tutorial:

https://community.hortonworks.com/content/kbentry/65449/ow-to-setup-a-multi-user-active-directory-backed-z.html

If you are using self-signed certificate, Download the SSL certificate to where zeppelin is running

<code>mkdir -p /etc/security/certificates

store the certificate in this directory

Import certificate for zeppelin to work with the self signed certificate.

<code>cd /etc/security/certificates
keytool -import -alias sampledcfieldcloud -file ad01.your.domain.name.cer -keystore /usr/jdk64/jdk1.8.0_77/jre/lib/security/cacerts
keytool -list -v -keystore /usr/jdk64/jdk1.8.0_77/jre/lib/security/cacerts | grep sampledcfieldcloud

Create home directory in hdfs for the user that you will login:

<code>hdfs dfs -mkdir /user/hadoopadmin
hdfs dfs -chown hadoopadmin:hdfs /user/hadoopadmin

Enable multi-user zeppelin use ambari -> zeppelin notebook configs

expand the Advanced zeppelin-env and look for shiro.ini entry. Below is configuration that works with our sampledcfield Cloud.

<code>[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
#admin = password1
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = CN=binduser,OU=ServiceUsers,DC=sampledcfield,DC=hortonworks,DC=com
activeDirectoryRealm.systemUsername = binduser
activeDirectoryRealm.systemPassword = xxxxxx
activeDirectoryRealm.principalSuffix = @your.domain.name
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks
activeDirectoryRealm.searchBase = DC=sampledcfield,DC=hortonworks,DC=com
activeDirectoryRealm.url = ldaps://ad01.your.domain.name:636
activeDirectoryRealm.groupRolesMap = "CN=hadoop-admins,OU=CorpUsers,DC=sampledcfield,DC=hortonworks,DC=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = true
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com
#ldapRealm.contextFactory.url = ldap://ldaphost:389
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
#securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
admin = *
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
#/** = anon
/** = authc
#/** = authcBasic

Grant Livy ability to impersonate

Use Ambari to update core-site.xml, restart YARN & HDFS after making this change.

<code><property>
<name>hadoop.proxyuser.livy.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.livy.hosts</name>
<value>*</value>
</property>

Restart hdfs and yarn after this update.

After running the livy notebook make sure the yarn logs show the logged in user as the user that is running, hadoopadmin is the user that is logged in the zeppelin notebook. You should see 2 applications running the livy-session-X and the zeppelin app running in yarn

<code>application_1478287338271_0003 hadoopadmin livy-session-0
application_1478287338271_0002 zeppelin Zeppelin

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

deepak.subhramanian — Fri, 11 Nov 2016 02:33:07 GMT

Thanks @azeltov. To confirm. Does it also work with a Kerberized Cluster ?I am just wondering how the kerberos information is passed.

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

azeltov — Fri, 11 Nov 2016 08:19:04 GMT

It does work in Kerberized cluster you will need to create keytabs for zeppelin and livy service account.

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

deepak.subhramanian — Tue, 15 Nov 2016 23:23:05 GMT

Thanks @azeltov . Even if we create a kerberos token for zeppelin, how does the kerberos tokens for individual users is passed ? All the access to HDFS, Spark and Hive is managed in Ranger for AD user or group and not for Zeppelin user.

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

azeltov — Wed, 16 Nov 2016 00:01:06 GMT

You must use Livy integration for the user tokens to be passed.

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

michael_salmon — Thu, 26 Jan 2017 20:29:58 GMT

The tokens aren't passed. zeppelin authenticates itself with livy and as it is a superuser (livy.superusers) livy takes the proxyUser sent by zeppelin and becomes that user.

question Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster in Archives of Support Questions (Read Only)

Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

If you are using self-signed certificate, Download the SSL certificate to where zeppelin is running

Import certificate for zeppelin to work with the self signed certificate.

Create home directory in hdfs for the user that you will login:

Enable multi-user zeppelin use ambari -> zeppelin notebook configs

Grant Livy ability to impersonate

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster

Re: Is Zeppelin in HDP 2.5 support multi-tenancy on a Kerberized Cluster