Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How can we configure Zeppelin for secure login?

Highlighted

How can we configure Zeppelin for secure login?

I tried updating zeppelin config files but still I got authentication issues for LDAP accounts. I am not able to understand what should be actual value for below properties

  1. activeDirectoryRealm.systemUsername =
  2. activeDirectoryRealm.systemPassword =

@Artem Ervits could you help

5 REPLIES 5

Re: How can we configure Zeppelin for secure login?

@Amit Panda

You can reference these docs for more information regarding Zeppelin security with Active Directory: http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-s.... Have you seen these docs?

You do not want to hardcode the username/password in the shiro config file. Rather, you will want to add the authentication settings and optionally use a self-signed certificate.

Let me know if you'd like more info - hope this helps!

Highlighted

Re: How can we configure Zeppelin for secure login?

@Dan Zaratsian Thanks for reply But these docs do not provide you exact info. If you already set up zeppelin then if can you share advanced zeppellin-shiro-ini content then it would be grateful.

Highlighted

Re: How can we configure Zeppelin for secure login?

Hi @Amit Panda

- activeDirectoryRealm.systemUsername - this is the value of the AD adminID; that is NOT the bind from LDAP but just the adminID

- activeDirectoryRealm.systemPassword - admin's password; for now that has to be a plain text

You need to provide also the following:

activeDirectoryRealm.searchBase 
activeDirectoryRealm.url
activeDirectoryRealm.groupRolesMap
activeDirectoryRealm.authorizationCachingEnabled = true
securityManager.realms = $activeDirectoryRealm 
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000 
shiro.loginUrl = /api/login

I hope this helps

Highlighted

Re: How can we configure Zeppelin for secure login?

Hi @Daniel Kozlowski Thanks for suggestion, But still unable to login.... see below attached configuration parameters for Advanced Zeppelin-shiro-ini and advised me if anything missing.

advanced-zeppelin-shiro-ini.txt

Highlighted

Re: How can we configure Zeppelin for secure login?

Hi @Amit Panda

1) activeDirectoryRealm.systemUsername

Is this your username - "admin ("?

2) activeDirectoryRealm.systemPassword

As already mentioned in my previous post - you must have activeDirectoryRealm.systemPassword specified and do not use activeDirectoryRealm.hadoopSecurityCredentialPath

3) activeDirectoryRealm.url

You use ldap without port number?

4) activeDirectoryRealm.groupRolesMap

You must have groupRolesMap specified. Currently that is commented out

5) activeDirectoryRealm.searchBase

Is that a correct searchBase? Basically, if you use ldapsearch from the console using details from shiro i.e. systemUsername, systemPassword, searchBase and the user to log into Zeppelin, as output of it you should get the role user is associated with which you will use as groupRolesMap.

Sample ldapsearch:

$ ldapsearch -h <ldap_host> -p <ldap_port> -D <system_user> -w <password> -b "<search_base>" "(&(cn=*)(sAMAccountName=<YourID>))" 

This is to return the role bind to be used in groupRolesMap.

Once you have this configured, log in to Zeppelin UI as <YourID@DOMAIN>.

Don't have an account?
Coming from Hortonworks? Activate your account here