Support Questions

amitpanda147 · ‎05-10-2017

I tried updating zeppelin config files but still I got authentication issues for LDAP accounts. I am not able to understand what should be actual value for below properties

activeDirectoryRealm.systemUsername =
activeDirectoryRealm.systemPassword =

@Artem Ervits could you help

dzaratsian · ‎05-11-2017

@Amit Panda

You can reference these docs for more information regarding Zeppelin security with Active Directory: http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-s.... Have you seen these docs?

You do not want to hardcode the username/password in the shiro config file. Rather, you will want to add the authentication settings and optionally use a self-signed certificate.

Let me know if you'd like more info - hope this helps!

amitpanda147 · ‎05-12-2017

@Dan Zaratsian Thanks for reply But these docs do not provide you exact info. If you already set up zeppelin then if can you share advanced zeppellin-shiro-ini content then it would be grateful.

dkozlowski · ‎05-11-2017

Hi @Amit Panda

- activeDirectoryRealm.systemUsername - this is the value of the AD adminID; that is NOT the bind from LDAP but just the adminID

- activeDirectoryRealm.systemPassword - admin's password; for now that has to be a plain text

You need to provide also the following:

activeDirectoryRealm.searchBase 
activeDirectoryRealm.url
activeDirectoryRealm.groupRolesMap
activeDirectoryRealm.authorizationCachingEnabled = true
securityManager.realms = $activeDirectoryRealm 
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000 
shiro.loginUrl = /api/login

I hope this helps

amitpanda147 · ‎05-12-2017

Hi @Daniel Kozlowski Thanks for suggestion, But still unable to login.... see below attached configuration parameters for Advanced Zeppelin-shiro-ini and advised me if anything missing.

advanced-zeppelin-shiro-ini.txt

dkozlowski · ‎05-14-2017

Hi @Amit Panda

1) activeDirectoryRealm.systemUsername

Is this your username - "admin ("?

2) activeDirectoryRealm.systemPassword

As already mentioned in my previous post - you must have activeDirectoryRealm.systemPassword specified and do not use activeDirectoryRealm.hadoopSecurityCredentialPath

3) activeDirectoryRealm.url

You use ldap without port number?

4) activeDirectoryRealm.groupRolesMap

You must have groupRolesMap specified. Currently that is commented out

5) activeDirectoryRealm.searchBase

Is that a correct searchBase? Basically, if you use ldapsearch from the console using details from shiro i.e. systemUsername, systemPassword, searchBase and the user to log into Zeppelin, as output of it you should get the role user is associated with which you will use as groupRolesMap.

Sample ldapsearch:

$ ldapsearch -h <ldap_host> -p <ldap_port> -D <system_user> -w <password> -b "<search_base>" "(&(cn=*)(sAMAccountName=<YourID>))"

This is to return the role bind to be used in groupRolesMap.

Once you have this configured, log in to Zeppelin UI as <YourID@DOMAIN>.

Support Questions

How can we configure Zeppelin for secure login?