Support Questions

Find answers, ask questions, and share your expertise

Zeppelin interpreters disappear when security is enabled

avatar
New Contributor

Hi,

when enabling security in the zeppelin configuration through Ambari 2.4 in hdp 2.5 (i.e. setting anonymous to false and using "/** = authc" ) the interpreters mysteriously disappear from the web gui. Ref. pictures before and after:

7257-zeppelin-anon.png

and after security is turned on:

7258-zeppelin.png

Note: I have not enabled Kerberos - is this the problem?

Otherwise thoroughly enjoying the new version of HDP 🙂

Terry

1 ACCEPTED SOLUTION

avatar

Please see the below working shiro.ini.

Uncommenting the sessionManager and securityManager lines, as below, and ensuring that the [roles] block was included, resolved the issue for me with the interpreters not displaying in the UI after enabling authentication.

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.ini:

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
admin = password1, admin
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
#ldapRealm.userDnTemplate = CN={0},OU=standard,OU=Users,ou=enterprise,dc=vds,dc=logon
#ldapRealm.contextFactory.url = ldaps://ProdIZvds.8389.corporate.ge.com:636
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
role1 = *
role2 = *
role3 = *
admin = *
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
#/api/version = anon
#/** = authc
#/** = authc
/**=authc

Thanks to @Ancil McBarnett for his guidance.

View solution in original post

5 REPLIES 5

avatar
New Contributor

Solved!

running: /usr/hdp/2.5.0.0-1245/zeppelin/bin/install-interpreter.sh --all

gave me back the interpreters (plus a few community ones)

avatar
Contributor

I tried running the command that @Terje Berg-Hansen suggested. I ran it as user "Zeppelin" on the node where Zeppelin is installed but it did not make any difference. Here is another thread that talks about the same topic. This issue is still unresolved.

https://community.hortonworks.com/questions/58454/hdp-25-zeppelin-06-ldap-interpreters-are-not-shown...

avatar

Please see the below working shiro.ini.

Uncommenting the sessionManager and securityManager lines, as below, and ensuring that the [roles] block was included, resolved the issue for me with the interpreters not displaying in the UI after enabling authentication.

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.ini:

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
admin = password1, admin
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
#ldapRealm.userDnTemplate = CN={0},OU=standard,OU=Users,ou=enterprise,dc=vds,dc=logon
#ldapRealm.contextFactory.url = ldaps://ProdIZvds.8389.corporate.ge.com:636
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
role1 = *
role2 = *
role3 = *
admin = *
[urls]
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
#/api/version = anon
#/** = authc
#/** = authc
/**=authc

Thanks to @Ancil McBarnett for his guidance.

avatar

thanks @slachterman! this resolved the problem for me

avatar
Contributor

Awesome! This worked for me. The timing could have not been better. I was working on setting up Zeppelin with OpenLDAP and livy today (HDP 2.5) and this was one of the issue I had to solve.

Thank you!