- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Created on ‎11-08-2016 05:29 PM
How to setup a multi user (Active Directory backed) zeppelin integrated with ldap and using Livy Rest server .
Pre-requisites:
Setup the LDAP/AD integration for ambari using this lab (Enable Active Directory Authentication for Ambari):https://github.com/HortonworksUniversity/Security_Labs#lab-1
If you are using self-signed certificate, Download the SSL certificate to where zeppelin is running
<code>mkdir -p /etc/security/certificates
store the certificate in this directory
Import certificate for zeppelin to work with the self signed certificate.
<code>cd /etc/security/certificates keytool -import -alias sampledcfieldcloud -file ad01.your.domain.name.cer -keystore /usr/jdk64/jdk1.8.0_77/jre/lib/security/cacerts keytool -list -v -keystore /usr/jdk64/jdk1.8.0_77/jre/lib/security/cacerts | grep sampledcfieldcloud
Create home directory in hdfs for the user that you will login:
<code>hdfs dfs -mkdir /user/hadoopadmin hdfs dfs -chown hadoopadmin:hdfs /user/hadoopadmin
Enable multi-user zeppelin use ambari -> zeppelin notebook configs
expand the Advanced zeppelin-env and look for shiro.ini entry. Below is configuration that works with our sampledcfield Cloud.
<code>[users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections #admin = password1 #user1 = password2, role1, role2 #user2 = password3, role3 #user3 = password4, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm #activeDirectoryRealm.systemUsername = CN=binduser,OU=ServiceUsers,DC=sampledcfield,DC=hortonworks,DC=com activeDirectoryRealm.systemUsername = binduser activeDirectoryRealm.systemPassword = xxxxxx activeDirectoryRealm.principalSuffix = @your.domain.name #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = DC=sampledcfield,DC=hortonworks,DC=com activeDirectoryRealm.url = ldaps://ad01.your.domain.name:636 activeDirectoryRealm.groupRolesMap = "CN=hadoop-admins,OU=CorpUsers,DC=sampledcfield,DC=hortonworks,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 #ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm #ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com #ldapRealm.contextFactory.url = ldap://ldaphost:389 #ldapRealm.contextFactory.authenticationMechanism = SIMPLE #sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager #securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour #securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] admin = * [urls] # anon means the access is anonymous. # authcBasic means Basic Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon /api/interpreter/** = authc, roles[admin] /api/credential/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] #/** = anon /** = authc #/** = authcBasic
Grant Livy ability to impersonate
Use Ambari to update core-site.xml, restart YARN & HDFS after making this change.
<code><property> <name>hadoop.proxyuser.livy.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.livy.hosts</name> <value>*</value> </property>
Restart hdfs and yarn after this update.
After running the livy notebook make sure the yarn logs show the logged in user as the user that is running, hadoopadmin is the user that is logged in the zeppelin notebook. You should see 2 applications running the livy-session-X and the zeppelin app running in yarn
<code>application_1478287338271_0003 hadoopadmin livy-session-0 application_1478287338271_0002 zeppelin Zeppelin
Troubleshooting, explore zeppelin and livy log files:
<code>tail -f /var/log/zeppelin/zeppelin-zeppelin-az1secure0.log tail -f /var/log/zeppelin/zeppelin-interpreter-livy-zeppelin-az1secure0.log
Next Steps: This multi-part article shows how to Secure Spark with Ranger using Zeppelin and Livy for Multi-user access
Securing Spark with Ranger using Zeppelin and Livy for Multi-user access - Part 1
References:
https://zeppelin.apache.org/docs/0.6.0/interpreter/livy.html#faqhttp://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2-trunk/bk_command-line-installati... http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2-trunk/bk_command-line-installati...
Created on ‎01-18-2017 05:14 PM
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi,
We are using AD for authentication and all AD users are able to login.I want to restrict access to only few AD users.Is it possible using roles ?
Please help on this.Thanks in advance
Created on ‎01-18-2017 05:14 PM
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
@azeltov
@azeltov Please help
Created on ‎02-08-2017 01:14 PM
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello Sharan, I have the same problem as you. Have you found the way to limit access to specific users/groups? Kind regards, Michał