Support Questions

Find answers, ask questions, and share your expertise

Zeppelin kerberos authentication

avatar
Expert Contributor

Hello,

is it possible to do authentication only with kerberos principal in a kerberized cluster? (without using AD or LDAP)

Regard.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Mustafa Kemal MAYUK

I guess you run the Kerberos wizard through Ambari if so the corresponding keytabs must have already been generated so no need for any action.

The Zeppelin daemon needs a Kerberos account and keytab to run in a Kerberized cluster. Have a look at %spark interpreter like the property spark.yarn.keytabs or spark.yarn.principal they should already be filled.

All the configuration is in the shiro.ini, you can even map local users and restart Zeppelin these users should be able to login Zeppelin UI.

These are the default users

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) 
# check the shiro doc at http://shiro.apache.org/configuration.html
# Configuration-INI Sections
admin = admin, admin
user1 = user1, role1, role2
user2 = user2, role3
user3 = user3, role2
# Added user John/John
John = John, role1, role2

But your spark queries won't necessarily run after logging in as one of these. For spark queries to run, the user needs to be a local user on the Linux box. Hence these are just default logins which you can change yourself.

For simple configs, you can add more username/password in text format in [users] section in the above example I added

John = John, role1, role2

And could log on to zeppelin UI as John/John

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@Mustafa Kemal MAYUK

The answer is YES but there are trade off's

LDAP authentication is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid for centralized authentication, meaning you have to log in to every service, but if you change your password it changes everywhere.

Kerberos is used to manage credentials securely (authentication) and is single sign-on (SSO), meaning you log in once and get a token and don't need to login to other services.

There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.

There's no right answer. If you need SSO use Kerberos. Else LDAP.

avatar
Expert Contributor

Thanks @Geoffrey Shelton Okot

I have already a Zeppelin instance in a kerberized cluster. Should I do extra configuration for kerberos authentication? I couldn't login to zeppelin ui with a kerberos principal.

avatar
Master Mentor

@Mustafa Kemal MAYUK

I guess you run the Kerberos wizard through Ambari if so the corresponding keytabs must have already been generated so no need for any action.

The Zeppelin daemon needs a Kerberos account and keytab to run in a Kerberized cluster. Have a look at %spark interpreter like the property spark.yarn.keytabs or spark.yarn.principal they should already be filled.

All the configuration is in the shiro.ini, you can even map local users and restart Zeppelin these users should be able to login Zeppelin UI.

These are the default users

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) 
# check the shiro doc at http://shiro.apache.org/configuration.html
# Configuration-INI Sections
admin = admin, admin
user1 = user1, role1, role2
user2 = user2, role3
user3 = user3, role2
# Added user John/John
John = John, role1, role2

But your spark queries won't necessarily run after logging in as one of these. For spark queries to run, the user needs to be a local user on the Linux box. Hence these are just default logins which you can change yourself.

For simple configs, you can add more username/password in text format in [users] section in the above example I added

John = John, role1, role2

And could log on to zeppelin UI as John/John