Support Questions

colin_a_cunning · ‎02-03-2017

Hi. I have started a HDP Sandbox 2.5.0 in Azure. I see that current sandbox has issue in that Zeppelin is not accessible from Abari Views. I can get to Zeppelin via port 9995 in browser but it has me as anonymous. How can I switch to being user maria_dev and interact w/ my sandbox.hortonworks.com build in Zeppelin?

Thanks. - Colin

p.s. I was unsuccessfully trying to move my way thru the tutorial here, https://github.com/hortonworks/tutorials/blob/hdp-2.5/tutorials/hortonworks/getting-started-with-apa....

rguruvannagari · ‎02-03-2017

@Colin Cunningham

By default zeppelin is configured with anonymous authentcation. You must set [url] section in shiro_ini of zeppelin service as below. And without AD/LDAP authencation you can set the usernames in [users]. After this changes restart zeppelin services. Now with /api/anon commented you must login with user name set in [users]

[users] 
# List of users with their password allowed to access Zeppelin. 
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections 
maria_dev = <password> , admin  #### Add this line 
#admin = password1, admin 
#user1 = password2, role1, role2 
#user2 = password3, role3 

[urls] 

# This section is used for url-based security. 
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. 
# anon means the access is anonymous. 
# authc means Form based Auth Security 
# To enfore security, comment the line below and uncomment the next one 
/api/version = anon 
#/** = anon ###Comment anon
/** = authc    ####Add this line

View solution in original post

rguruvannagari · ‎02-03-2017

@Colin Cunningham

By default zeppelin is configured with anonymous authentcation. You must set [url] section in shiro_ini of zeppelin service as below. And without AD/LDAP authencation you can set the usernames in [users]. After this changes restart zeppelin services. Now with /api/anon commented you must login with user name set in [users]

[users] 
# List of users with their password allowed to access Zeppelin. 
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections 
maria_dev = <password> , admin  #### Add this line 
#admin = password1, admin 
#user1 = password2, role1, role2 
#user2 = password3, role3 

[urls] 

# This section is used for url-based security. 
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. 
# anon means the access is anonymous. 
# authc means Form based Auth Security 
# To enfore security, comment the line below and uncomment the next one 
/api/version = anon 
#/** = anon ###Comment anon
/** = authc    ####Add this line

colin_a_cunning · ‎02-03-2017

Thank you.

lraheja · ‎02-03-2017

@Colin Cunningham

You can follow below steps:

Go to shiro.ini file and edit following section:

1) Under [users] section, you can put username and password you want to use for login :

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
admin = password1
maria_dev = maria_dev

2) Under [Url] section make below change:

[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/** = anon
/** = authc

3) Restart the service.

colin_a_cunning · ‎02-03-2017

Thank you. I restarted service but going to browser on :9995, I guess I still don't know how to switch from the user anonymous. below is how the tail of my shiro.ini [urls] section now reads in case you see any issue here.

-Colin

/api/version = anon

/** = anon

#/** = authc

colin_a_cunning · ‎02-03-2017

@Iraheja or @rguruvannagari . Thanks for both your answers. Any pointers how to switch users in Zeppelin? I'm stuck on anonymous still after restarting zeppelin w/ the above changes to my shiro.ini config file. I don't see a way in the zeppelin UI to switch users. I can update the 'credential' but I don't really know what that is for. I am clearly a zeppelin newbie. -Colin

rguruvannagari · ‎02-03-2017

Can you please provide shiro ini content ?

colin_a_cunning · ‎02-03-2017

[root@sandbox conf]# more shiro.ini

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
#admin = password1
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2


# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
#activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = CN=Administrator,CN=Users,DC=HW,DC=EXAMPLE,DC=COM
#activeDirectoryRealm.systemPassword = Password1!
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks
#activeDirectoryRealm.searchBase = CN=Users,DC=HW,DC=TEST,DC=COM
#activeDirectoryRealm.url = ldap://ad-nano.test.example.com:389
#activeDirectoryRealm.groupRolesMap = ""
#activeDirectoryRealm.authorizationCachingEnabled = true


#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com
#ldapRealm.contextFactory.url = ldap://ldaphost:389
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
#securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login


[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/** = anon
#/** = authc

colin_a_cunning · ‎02-03-2017

@rguruvannagari. I don't know if it was the trick but I set the property zeppelin.anonymous.allowed to false in conf/zeppelin-site.xml and then restarted zeppelin. i also noticed that my shiro.ini changes were reversed or reset to the original. confused but now i was prompted for login. I used maria_dev and it worked. i will carry on w/ the tutorial.

arnabarnab · ‎02-22-2017

Its a two step process involving changes in 4 lines which i have marked below. Access shiro.ini from Ambari using admin user id only . Please note accessing it any other way will not be useful as it will not preserve the change and will keep getting overwritten every time the zapplin service is restarted.

So access shiro.ini in the following path : Ambari, Zeppelin > Configs > Advanced zeppelin-env > shiro_ini_content and make the following changes :

A.

# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
maria_dev =<password>, admin #### <------Add this line #this is the first change#
#admin = password1, admin

B.

Near the end of the file there you should file the following lines :

# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
#/api/version = anon <------comment this line #this is the second change#
#/** = anon <------comment this line #this is the third change#
/** = authc <------uncomment this line #this is the fourthchange#

Cloudera Community

Support Questions

Sanbox Zeppelin: How to login as maria_dev (not anonymous)