Community Articles
Find and share helpful community-sourced technical articles
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)

Environment Setup:

The following components are required for the setup:

· HDP 2.5 cluster/Sandbox

· Ambari 2.4+

· 'Zeppelin Notebook' Service installed in Ambari With HDP 2.5 Sandbox, it will be Zeppelin version 0.6.0. If you don't have Zeppelin installed, it can be installed via 'Add Service' option in Ambari

· Active Directory Keep the 'working' Active Directory details ready (URI, bind DN/password, search base etc.)

Configuration Steps:

In this example, the following environment is used:

· HDP 2.5 Sandbox on VirtualBox.

· Ambari which comes with HDP 2.5 Sandbox

· Zeppelin version 0.6.0

· Active Directory 2012 R2 version

To configure Zeppelin for Active Directory User Authentication, perform the following steps:

1. From Ambari Dashboard, Select the Advanced Zeppelin-config section. Zeppelin Notebook > Configs > Advanced zeppelin-config

2. Set the zeppelin.anonymous.allowedproperty to false. By default, this is set to true so that any user can login to Zeppelin UI as anonymous user. zeppelin.anonymous.allowed property=false

3. On the Ambari page, navigate to the Advanced zeppelin-env section.

4. Locate the shiro_ini_contentproperty. It contains an Apache Shiroconfiguration which Zeppelin uses to perform LDAP/AD authentication and authorization. Make the following changes to configure Zeppelin for Active Directory:

a. Add following Active Directory related information in the [main] section -activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealmactiveDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net activeDirectoryRealm.systemPassword = passw0rd #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/etc/zeppelin/conf/zeppelin.jceks activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net activeDirectoryRealm.url = ldap:// activeDirectoryRealm.authorizationCachingEnabled = false

Tip: For the above section, any working Shiro configuration would work. For example, Shiro configuration used by Knox. Another working Shiro configuration could be: contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory contextFactory.url = ldap:// contextFactory.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net contextFactory.systemPassword = passw0rd contextFactory.authenticationMechanism = SIMPLE activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm activeDirectoryRealm.ldapContextFactory = $contextFactory activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net Uncomment sessionManager lines and add "securityManager.realms" line. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.realms = $activeDirectoryRealm

b. Under [urls] section, comment out "/** = anon" line and un-comment "/** = authc" line. The updated shiro_ini_content should look like this:

# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at
#admin = password1
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net
activeDirectoryRealm.systemPassword = passw0rd
#activeDirectoryRealm.hadoopSecurityCredentialPath= jceks://user/zeppelin/conf/zeppelin.jceks
activeDirectoryRealm.searchBase = dc=lab,dc=hortonworks,dc=net
activeDirectoryRealm.url = ldap://
activeDirectoryRealm.authorizationCachingEnabled = false
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.realms = $activeDirectoryRealm
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/** = anon
/** = authc


5. Save the configuration changes and restart Zeppelin Notebook service.

6. Perform the following steps to test the configuration:

a. After restarting the Zeppelin service, open the Zeppelin UI in a new browser tab by typing http://zeppelin-hostname:9995. For example, on HDP 2.5 Sandbox type

b. Click the Login button located on the top right corner.

c. Specify a valid Active Directory username and password in the Login dialog box. Specify a fully qualified user name like " ad-username@AD.DOMAIN.COM", a short username like "ad-username" will result in an error.

d. If the configuration is successful, the user will get logged in and a success message similar to the following will be displayed in the log: WARN [2016-11-26 01:06:27,563] ({qtp627185331-13 - /api/login}[postLogin]:111) - {"status":"OK","message":"","body":{"principal":"hr1@LAB.HORTONWORKS.NET","ticket":"cc231146-293a-4f5e-8045-aea4b0fea37a","roles":"[]"}}

Troubleshooting Configuration issues:

After the configuration changes sometimes the service fails to restart. Most of the issues are related to incorrect or incomplete configurations. Using the Zeppelin log file, user can troubleshoot configuration issues. On a Zeppelin host, the Zeppelin log file is located in the following directory:


The following are some of the configuration issues with resolution:

· Issue: Incorrect Realm class name During restart, Zeppelin service fails to start without any logs in /var/log/zeppelin/ However, the ClassNotFoundException for Realm class error is displayed in the /var/log/zeppelin/

Solution: To resolve this issue, ensure that Realm class name is spelled correctly. Valid realm class names are: org.apache.zeppelin.server.ActiveDirectoryGroupRealm org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm Note: Based on the Realm class used, the Shiro configuration properties might change. So, check the relevant documentation before using.

· Issue: The username and password entered do not match If the username and password do not match, the following message is displayed during login: "The username and password that you entered don't match."

And the following line is displayed in the log file: "Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580^@]" Solution: To resolve this issue, ensure that a fully qualified username with domain name and right password is entered. For example, " ad-username@AD.DOMAIN.COM". A short username like "ad-username" will result in an error.

0 Kudos
Super Guru

@vpoornalingam - Okay :) Please let me know if I can reject ;)

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎12-13-2016 03:50 AM
Updated by:
Top Kudoed Authors