Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

How can we configure Zeppelin for secure login?

I tried updating zeppelin config files but still I got authentication issues for LDAP accounts. I am not able to understand what should be actual value for below properties

  1. activeDirectoryRealm.systemUsername =
  2. activeDirectoryRealm.systemPassword =

@Artem Ervits could you help


@Amit Panda

You can reference these docs for more information regarding Zeppelin security with Active Directory: Have you seen these docs?

You do not want to hardcode the username/password in the shiro config file. Rather, you will want to add the authentication settings and optionally use a self-signed certificate.

Let me know if you'd like more info - hope this helps!

@Dan Zaratsian Thanks for reply But these docs do not provide you exact info. If you already set up zeppelin then if can you share advanced zeppellin-shiro-ini content then it would be grateful.

Hi @Amit Panda

- activeDirectoryRealm.systemUsername - this is the value of the AD adminID; that is NOT the bind from LDAP but just the adminID

- activeDirectoryRealm.systemPassword - admin's password; for now that has to be a plain text

You need to provide also the following:

activeDirectoryRealm.authorizationCachingEnabled = true
securityManager.realms = $activeDirectoryRealm 
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000 
shiro.loginUrl = /api/login

I hope this helps

Hi @Daniel Kozlowski Thanks for suggestion, But still unable to login.... see below attached configuration parameters for Advanced Zeppelin-shiro-ini and advised me if anything missing.


Hi @Amit Panda

1) activeDirectoryRealm.systemUsername

Is this your username - "admin ("?

2) activeDirectoryRealm.systemPassword

As already mentioned in my previous post - you must have activeDirectoryRealm.systemPassword specified and do not use activeDirectoryRealm.hadoopSecurityCredentialPath

3) activeDirectoryRealm.url

You use ldap without port number?

4) activeDirectoryRealm.groupRolesMap

You must have groupRolesMap specified. Currently that is commented out

5) activeDirectoryRealm.searchBase

Is that a correct searchBase? Basically, if you use ldapsearch from the console using details from shiro i.e. systemUsername, systemPassword, searchBase and the user to log into Zeppelin, as output of it you should get the role user is associated with which you will use as groupRolesMap.

Sample ldapsearch:

$ ldapsearch -h <ldap_host> -p <ldap_port> -D <system_user> -w <password> -b "<search_base>" "(&(cn=*)(sAMAccountName=<YourID>))" 

This is to return the role bind to be used in groupRolesMap.

Once you have this configured, log in to Zeppelin UI as <YourID@DOMAIN>.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.