Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Zeppelin kerberos authentication

Labels:
avatar
author-rank mustafakemal_ma
Expert Contributor

Created ‎04-10-2018 08:26 AM

Hello,

is it possible to do authentication only with kerberos principal in a kerberized cluster? (without using AD or LDAP)

Regard.

3,803 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎04-10-2018 01:24 PM

@Mustafa Kemal MAYUK

I guess you run the Kerberos wizard through Ambari if so the corresponding keytabs must have already been generated so no need for any action.

The Zeppelin daemon needs a Kerberos account and keytab to run in a Kerberized cluster. Have a look at %spark interpreter like the property spark.yarn.keytabs or spark.yarn.principal they should already be filled.

All the configuration is in the shiro.ini, you can even map local users and restart Zeppelin these users should be able to login Zeppelin UI.

These are the default users

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) 
# check the shiro doc at http://shiro.apache.org/configuration.html
# Configuration-INI Sections
admin = admin, admin
user1 = user1, role1, role2
user2 = user2, role3
user3 = user3, role2
# Added user John/John
John = John, role1, role2

But your spark queries won't necessarily run after logging in as one of these. For spark queries to run, the user needs to be a local user on the Linux box. Hence these are just default logins which you can change yourself.

For simple configs, you can add more username/password in text format in [users] section in the above example I added

John = John, role1, role2

And could log on to zeppelin UI as John/John

View solution in original post

2,831 Views
0 Kudos
3 REPLIES 3

avatar
author-rank Shelton
Master Mentor

Created ‎04-10-2018 09:07 AM

@Mustafa Kemal MAYUK

The answer is YES but there are trade off's

LDAP authentication is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid for centralized authentication, meaning you have to log in to every service, but if you change your password it changes everywhere.

Kerberos is used to manage credentials securely (authentication) and is single sign-on (SSO), meaning you log in once and get a token and don't need to login to other services.

There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.

There's no right answer. If you need SSO use Kerberos. Else LDAP.

2,831 Views
0 Kudos

avatar
author-rank mustafakemal_ma
Expert Contributor

Created ‎04-10-2018 10:20 AM

Thanks @Geoffrey Shelton Okot

I have already a Zeppelin instance in a kerberized cluster. Should I do extra configuration for kerberos authentication? I couldn't login to zeppelin ui with a kerberos principal.

2,831 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎04-10-2018 01:24 PM

@Mustafa Kemal MAYUK

I guess you run the Kerberos wizard through Ambari if so the corresponding keytabs must have already been generated so no need for any action.

The Zeppelin daemon needs a Kerberos account and keytab to run in a Kerberized cluster. Have a look at %spark interpreter like the property spark.yarn.keytabs or spark.yarn.principal they should already be filled.

All the configuration is in the shiro.ini, you can even map local users and restart Zeppelin these users should be able to login Zeppelin UI.

These are the default users

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) 
# check the shiro doc at http://shiro.apache.org/configuration.html
# Configuration-INI Sections
admin = admin, admin
user1 = user1, role1, role2
user2 = user2, role3
user3 = user3, role2
# Added user John/John
John = John, role1, role2

But your spark queries won't necessarily run after logging in as one of these. For spark queries to run, the user needs to be a local user on the Linux box. Hence these are just default logins which you can change yourself.

For simple configs, you can add more username/password in text format in [users] section in the above example I added

John = John, role1, role2

And could log on to zeppelin UI as John/John

2,832 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements