https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211956#M77047 <P><EM><A href="@Mustafa Kemal MAYUK"> @Mustafa Kemal MAYUK</A><BR /></EM></P><P><EM>The answer is YES but there are trade off's<BR /></EM></P><P><EM> <STRONG>LDAP authentication is </STRONG>used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid for centralized authentication, meaning you have to log in to every service, but if you change your password it changes everywhere.</EM></P><P><EM><STRONG>Kerberos </STRONG></EM>is used to manage credentials securely (authentication) and <I>is single sign-on (SSO), meaning you log in once and get a token and don't need to login to other services.</I></P><P><EM>There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.</EM></P><P><EM>There's no right answer. If you need SSO use Kerberos. Else LDAP. </EM></P> Tue, 10 Apr 2018 16:07:49 GMT Shelton 2018-04-10T16:07:49Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211955#M77046 <P>Hello,</P><P>is it possible to do authentication only with kerberos principal in a kerberized cluster? (without using AD or LDAP)</P><P>Regard.</P> Tue, 10 Apr 2018 15:26:10 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211955#M77046 mustafakemal_ma 2018-04-10T15:26:10Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211956#M77047 <P><EM><A href="@Mustafa Kemal MAYUK"> @Mustafa Kemal MAYUK</A><BR /></EM></P><P><EM>The answer is YES but there are trade off's<BR /></EM></P><P><EM> <STRONG>LDAP authentication is </STRONG>used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid for centralized authentication, meaning you have to log in to every service, but if you change your password it changes everywhere.</EM></P><P><EM><STRONG>Kerberos </STRONG></EM>is used to manage credentials securely (authentication) and <I>is single sign-on (SSO), meaning you log in once and get a token and don't need to login to other services.</I></P><P><EM>There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.</EM></P><P><EM>There's no right answer. If you need SSO use Kerberos. Else LDAP. </EM></P> Tue, 10 Apr 2018 16:07:49 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211956#M77047 Shelton 2018-04-10T16:07:49Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211957#M77048 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/1271/sheltong.html" nodeid="1271">@Geoffrey Shelton Okot</A></P><P>I have already a Zeppelin instance in a kerberized cluster. Should I do extra configuration for kerberos authentication? I couldn't login to zeppelin ui with a kerberos principal.</P> Tue, 10 Apr 2018 17:20:54 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211957#M77048 mustafakemal_ma 2018-04-10T17:20:54Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211958#M77049 <P><EM><A href="https://community.hortonworks.com/users/10532/mustafakemalmayuk.html">@Mustafa Kemal MAYUK</A></EM></P><P><EM>I guess you run the Kerberos wizard through Ambari if so the corresponding keytabs must have already been generated so no need for any action. </EM></P><P><EM>The Zeppelin daemon needs a Kerberos account and keytab to run in a Kerberized cluster. Have a look at <CODE>%spark</CODE> interpreter like the property <STRONG>spark.yarn.keytabs</STRONG> or <STRONG>spark.yarn.principal</STRONG> they should already be filled.</EM></P><P><EM>All the configuration is in the shiro.ini, you can even map local users and restart Zeppelin these users should be able to login Zeppelin UI. </EM></P><P><EM>These are the default users</EM></P><PRE><EM>[users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) # check the shiro doc at <A href="http://shiro.apache.org/configuration.html" target="_blank">http://shiro.apache.org/configuration.html</A> # Configuration-INI Sections admin = admin, admin user1 = user1, role1, role2 user2 = user2, role3 user3 = user3, role2 # Added user John/John John = John, role1, role2</EM></PRE><P><EM>But your spark queries won't necessarily run after logging in as one of these. For spark queries to run, the user needs to be a local user on the Linux box. Hence these are just default logins which you can change yourself.</EM></P><P><EM>For simple configs, you can add more username/password in text format in [users] section in the above example I added</EM></P><PRE><EM>John = John, role1, role2</EM></PRE><P><EM>And could log on to zeppelin UI as <STRONG>John/John</STRONG></EM></P> Tue, 10 Apr 2018 20:24:58 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Zeppelin-kerberos-authentication/m-p/211958#M77049 Shelton 2018-04-10T20:24:58Z