Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Zeppelin admin account does not have any permission

avatar
Expert Contributor

I am using CDP 7.1.7 and the cluster has not enabled Kerbores yet. Ranger is not enabled either. I followed the step in this post https://community.cloudera.com/t5/Support-Questions/CDP-7-1-3-Zepplin-not-able-to-login-with-default... to be able to log in as admin. But this "admin" account has no permission to access the configuration or interpreter page. 

 

According to CDP documentation, https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/configuring-zeppelin/topics/enabling_access_c... to configure shiro.ini for Zeppelin security, I have to go through Zeppelin web UI. 

 

What should I do?

 

Regards,

 

2 ACCEPTED SOLUTIONS

avatar
Master Collaborator

@Seaport 

To provide access to interpreter page, comment/delete below line[1] from shiro configuration url section or configure roles as mentioned in doc[2]

[1]: /api/interpreter/** = authc, roles[admin]

[2]: https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html#active-directory

 

View solution in original post

avatar
Expert Contributor

@Scharan I figured out. CDP Cloudera Manager UI did expose shiro.ini like Ambari, but did it via a different layout, which I should have realized earlier.

 

Under "zeppelin.shiro.user.block", I added

admin=admin, admin

, and it worked. 

 

Thanks.

View solution in original post

6 REPLIES 6

avatar
Master Collaborator

@Seaport 

To provide access to interpreter page, comment/delete below line[1] from shiro configuration url section or configure roles as mentioned in doc[2]

[1]: /api/interpreter/** = authc, roles[admin]

[2]: https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html#active-directory

 

avatar
Expert Contributor

@Scharan Thanks for the reply. I followed your recommendation and got the same permission error. I felt the disconnect is that, I added a user called admin successfully. The configuration

 /api/interpreter/** = authc, roles[admin]

is for a role called admin. The link between a user and a role seems to be inside shiro.ini, which I have no idea how I can access.

 

I used Zeppelin in HDP and the HDP Zeppelin exposes its shiro.ini via Zeppelin configuration inside Ambari. Now in CDP I cannot find a similar configuration inside Cloudera Manager.

 

avatar
Expert Contributor

On the Zeppellin node, under the directory /etc/zeppelin/conf, I found the following files.

++

configuration.xsl
interpreter-list
log4j.properties
log4j_yarn_cluster.properties
shiro.ini.template
zeppelin-env.cmd.template
zeppelin-env.sh.template
zeppelin-site.xml.template

++

Should I create a shiro.ini file here? 

avatar
Expert Contributor

@Scharan I figured out. CDP Cloudera Manager UI did expose shiro.ini like Ambari, but did it via a different layout, which I should have realized earlier.

 

Under "zeppelin.shiro.user.block", I added

admin=admin, admin

, and it worked. 

 

Thanks.

avatar
Expert Contributor

@Scharan By the way, under Zeppelin Shiro Urls Block, the original value is

++

/api/interpreter/** = authc, roles[{{zeppelin_admin_group}}]

++

Could you tell me what this notation {{zeppelin_admin_group}} for? I saw this kind of notation - double curly braces - frequently. Is it a token to be replaced? If yes, what kind of replacement it is waiting for?

 

Thanks.

avatar
Master Collaborator

@Seaport  For /api/interpreter/** = authc, roles[{{zeppelin_admin_group}}] you need to configure roles in shiro configuration, Refer to the following doc for more info

 

https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#secure-your-zeppelin...

 

https://community.cloudera.com/t5/Support-Questions/Zeppelin-user-role-mapping-using-Active-Director...