Support Questions

Seaport · ‎01-20-2022

I am using CDP 7.1.7 and the cluster has not enabled Kerbores yet. Ranger is not enabled either. I followed the step in this post https://community.cloudera.com/t5/Support-Questions/CDP-7-1-3-Zepplin-not-able-to-login-with-default... to be able to log in as admin. But this "admin" account has no permission to access the configuration or interpreter page.

According to CDP documentation, https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/configuring-zeppelin/topics/enabling_access_c... to configure shiro.ini for Zeppelin security, I have to go through Zeppelin web UI.

What should I do?

Regards,

Scharan · ‎01-20-2022

@Seaport

To provide access to interpreter page, comment/delete below line[1] from shiro configuration url section or configure roles as mentioned in doc[2]

[1]: /api/interpreter/** = authc, roles[admin]

[2]: https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html#active-directory

View solution in original post

Seaport · ‎01-21-2022

@Scharan I figured out. CDP Cloudera Manager UI did expose shiro.ini like Ambari, but did it via a different layout, which I should have realized earlier.

Under "zeppelin.shiro.user.block", I added

admin=admin, admin

, and it worked.

Thanks.

View solution in original post

Scharan · ‎01-20-2022

@Seaport

To provide access to interpreter page, comment/delete below line[1] from shiro configuration url section or configure roles as mentioned in doc[2]

[1]: /api/interpreter/** = authc, roles[admin]

[2]: https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html#active-directory

Seaport · ‎01-21-2022

@Scharan Thanks for the reply. I followed your recommendation and got the same permission error. I felt the disconnect is that, I added a user called admin successfully. The configuration

 /api/interpreter/** = authc, roles[admin]

is for a role called admin. The link between a user and a role seems to be inside shiro.ini, which I have no idea how I can access.

I used Zeppelin in HDP and the HDP Zeppelin exposes its shiro.ini via Zeppelin configuration inside Ambari. Now in CDP I cannot find a similar configuration inside Cloudera Manager.

Seaport · ‎01-21-2022

On the Zeppellin node, under the directory /etc/zeppelin/conf, I found the following files.

++

configuration.xsl
interpreter-list
log4j.properties
log4j_yarn_cluster.properties
shiro.ini.template
zeppelin-env.cmd.template
zeppelin-env.sh.template
zeppelin-site.xml.template

++

Should I create a shiro.ini file here?

Seaport · ‎01-21-2022

@Scharan I figured out. CDP Cloudera Manager UI did expose shiro.ini like Ambari, but did it via a different layout, which I should have realized earlier.

Under "zeppelin.shiro.user.block", I added

admin=admin, admin

, and it worked.

Thanks.

Seaport · ‎01-21-2022

@Scharan By the way, under Zeppelin Shiro Urls Block, the original value is

++

/api/interpreter/** = authc, roles[{{zeppelin_admin_group}}]

++

Could you tell me what this notation {{zeppelin_admin_group}} for? I saw this kind of notation - double curly braces - frequently. Is it a token to be replaced? If yes, what kind of replacement it is waiting for?

Thanks.

Scharan · ‎01-21-2022

@Seaport For /api/interpreter/** = authc, roles[{{zeppelin_admin_group}}] you need to configure roles in shiro configuration, Refer to the following doc for more info

https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#secure-your-zeppelin...

https://community.cloudera.com/t5/Support-Questions/Zeppelin-user-role-mapping-using-Active-Director...

Cloudera Community

Support Questions

Zeppelin admin account does not have any permission