Created on 12-08-201606:26 PM - edited on 12-09-202111:01 PM by VidyaSargur
This article applies to HDP 2.5.x and below. For HDP 2.6, please check new article.
Zeppelin can be configured to leverage an organization's Active Directory infrastructure for user authentication. By doing this, the existing Active Directory users can login to Zeppelin UI using their Active Directory credentials. This article discuss how to configure this kind of setup.
HDP 2.5 cluster / Sandbox
- I'm using HDP 2.5 Sandbox on VirtualBox. Get one from here !
- I'm using Ambari 22.214.171.124 which comes with HDP 2.5 Sandbox
'Zeppelin Notebook' Service installed in Ambari
- With HDP 2.5 Sandbox, it will be Zeppelin version 0.6.0
- If you don't have Zeppelin installed, it can be installed via 'Add Service' option in Ambari
- I'm using Active Directory 2012 R2 version
- Make sure that you have 'working' Active Directory details handy like URI, bind DN/password, search base etc.
1. From Ambari Dashboard, navigate to Zeppelin Notebook > Configs > Advanced zeppelin-config section.
2. Locate & set property "zeppelin.anonymous.allowed=false". By default, this is set to true so that any user can login to Zeppelin UI as anonymous user.
3. On the same Ambari page, navigate to next section called "Advanced zeppelin-env".
4. Locate a property called "shiro_ini_content". It contains an Apache Shiro configuration which Zeppelin uses to perform LDAP/AD authentication and authorization. Make the following changes to configure Zeppelin for Active Directory:
Add following Active Directory related information in the [main] section -
2. Click on "Login" button in the top right corner.
3. Specify any valid Active Directory username and password in the Login window. Make sure to provide the fully qualified user name like "ad-username@AD.DOMAIN.COM", a short username like "ad-username" will give an error (check next section).
If everything goes fine, user will be able to login using their Active Directory credentials. At the same time, the log file will show a success message like this:
In case of any error during service restart after configuration changes, most probably it will be due to incorrect / incomplete configuration. Zeppelin log file can be found at /var/log/zeppelin/zeppelin-zeppelin-sandbox.hortonworks.com.log location on the Zeppelin host. Please check log file for error(s).
Common Issues & Resolution:
1. Incorrect Realm class name
- Upon restart, Zeppelin service will die and while there will be no logs in /var/log/zeppelin/zeppelin-zeppelin-sandbox.hortonworks.com.log, but the /var/log/zeppelin/zeppelin-zeppelin-sandbox.hortonworks.com.out will have an error saying ClassNotFoundException for Realm class.
- Make sure that Realm class name is spelled correctly. Valid realm class names are: