Community Articles

Find and share helpful community-sourced technical articles.
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)
avatar
Master Mentor

In this article we will see how to add sample users and enable password based authentication for the Zeppelin UI.

By default when we access Zeppelin we see that we are able to access it as "anonymous" user. (means users are not challenged to provide credentials)

.

1. Login to Ambari UI and then navigate to :

Ambari UI --> Zeppelin Notebook --> Configs --> Advanced --> Advanced zeppelin-shiro-ini


2. Then add the users inside the "[users]" section as following:

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html
#Configuration-INISections
admin = admin
user1=user1pwd
user2=user2pwd



3. Also edit the "[urls]" section and add "authBasic" as following to tell which all URL patterns needs to be protected:

[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one /api/version = anon
#/** = anon
/** = authcBasic

4. Restart Zeppelin and then users can try accessing the Zeppelin Notebook UI and you will see that it presents a Basic Authentication window to enter username & password.

http://$ZEPPELIN_HOST:9995/#/

.

NOTE: Zeppelin can also be configured to leverage an organization's Active Directory infrastructure for user authentication. By doing this, the existing Active Directory users can login to Zeppelin UI using their Active Directory credentials. In order to enable Active Directory based authentication for Zeppelin then you can refer to the following article: https://community.hortonworks.com/articles/70392/how-to-configure-zeppelin-for-active-directory-use....

11,338 Views
Comments
avatar
Contributor

Hi @Jay Kumar SenSharma,

These instructions didn't work for me when I tried it on my cluster with HDP 3.0 and Zeppelin 0.8.0.

I noticed in my initial "Advanced zeppelin-shiro-ini", the passwords are encrypted strings, like

user3 = $shiro1$SHA-256$500000$nf0GzH10GbYVoxa7DOlOSw==$ov/IA5W8mRWPwvAoBjNYxg3udJK0EmrVMvFCwcr9eAs=, role2<br>

Then if I add a new user like this

newuser = newuserpassword

Or like this

newuser = newuserpassword, newrole

None of them worked.

Am I missing something in the settings?

To clarify, my purpose is to add a new Zeppelin user named `newuser`.

Thanks!

=== Update ===

I found there is another line in my "Advanced zeppelin-shiro-ini" section `[main]` that says

## To be commented out when not using [user] block / paintext
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher

And per Apache Shiro Configuration, that string starting with `$shiro` is a hash of the password.

I commented out the two lines shown above and passwords stored in plain text in "Advanced zeppelin-shiro-ini" are ok now.

After commenting below properties it's works for me as well.

## To be commented out when not using [user] block / paintext

passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher
avatar
New Contributor

Hi This is my shiro-ini configuration. I add kjoe user under users section and restart the zeppelin service, but still the user is not able to login. Kindly assist me how to fix this


[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
admin = $shiro1$SHA-256$500000$p6Be9+t2hdUXJQj2D0b1fg==$bea5JIMqcVF3J6eNZGWQ/3eeDByn5iEZDuGsEip06+M=, admin
user1 = $shiro1$SHA-256$500000$G2ymy/qmuZnGY6or4v2KfA==$v9fabqWgCNCgechtOUqAQenGDs0OSLP28q2wolPT4wU=, role1, role2
user2 = $shiro1$SHA-256$500000$aHBgiuwSgAcP3Xt5mEzeFw==$KosBnN2BNKA9/KHBL0hnU/woJFl+xzJFj12NQ0fnjCU=, role3
user3 = $shiro1$SHA-256$500000$nf0GzH10GbYVoxa7DOlOSw==$ov/IA5W8mRWPwvAoBjNYxg3udJK0EmrVMvFCwcr9eAs=, role2
kjoe = ******


# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = userNameA

#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
#activeDirectoryRealm.systemPassword = passwordA
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
#activeDirectoryRealm.url = ldap://ldap.test.com:389
#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
#activeDirectoryRealm.authorizationCachingEnabled = false

### A sample for configuring LDAP Directory Realm
#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE

### A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd

## To be commented out when not using [user] block / paintext
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
#Uncomment the line below when running Zeppelin-Server in HTTPS mode
#cookie.secure = true
cookie.httpOnly = true
sessionManager.sessionIdCookie = $cookie

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
admin = *

[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/api/interpreter/** = authc, roles[admin]
#/api/configurations/** = authc, roles[admin]
#/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc
/** = authcBasic

avatar
New Contributor

Did you solve this? I am having the same problem.

i have followed the steps but after changing restart zeppeline i am getting below error:- help me to resolve

HTTP ERROR: 503

Problem accessing /. Reason:

    Service Unavailable
Version history
Last update:
‎02-26-2018 07:49 AM
Updated by:
Contributors