Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Zeppelin kerberos authentication

Labels:
avatar
author-rank mustafakemal_ma
Expert Contributor

Created ‎04-10-2018 08:26 AM

Hello,

is it possible to do authentication only with kerberos principal in a kerberized cluster? (without using AD or LDAP)

Regard.

3,325 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎04-10-2018 01:24 PM

@Mustafa Kemal MAYUK

I guess you run the Kerberos wizard through Ambari if so the corresponding keytabs must have already been generated so no need for any action.

The Zeppelin daemon needs a Kerberos account and keytab to run in a Kerberized cluster. Have a look at %spark interpreter like the property spark.yarn.keytabs or spark.yarn.principal they should already be filled.

All the configuration is in the shiro.ini, you can even map local users and restart Zeppelin these users should be able to login Zeppelin UI.

These are the default users

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) 
# check the shiro doc at http://shiro.apache.org/configuration.html
# Configuration-INI Sections
admin = admin, admin
user1 = user1, role1, role2
user2 = user2, role3
user3 = user3, role2
# Added user John/John
John = John, role1, role2

But your spark queries won't necessarily run after logging in as one of these. For spark queries to run, the user needs to be a local user on the Linux box. Hence these are just default logins which you can change yourself.

For simple configs, you can add more username/password in text format in [users] section in the above example I added

John = John, role1, role2

And could log on to zeppelin UI as John/John

View solution in original post

2,353 Views
0 Kudos
3 REPLIES 3

avatar
author-rank Shelton
Master Mentor

Created ‎04-10-2018 09:07 AM

@Mustafa Kemal MAYUK

The answer is YES but there are trade off's

LDAP authentication is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid for centralized authentication, meaning you have to log in to every service, but if you change your password it changes everywhere.

Kerberos is used to manage credentials securely (authentication) and is single sign-on (SSO), meaning you log in once and get a token and don't need to login to other services.

There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.

There's no right answer. If you need SSO use Kerberos. Else LDAP.

2,353 Views
0 Kudos

avatar
author-rank mustafakemal_ma
Expert Contributor

Created ‎04-10-2018 10:20 AM

Thanks @Geoffrey Shelton Okot

I have already a Zeppelin instance in a kerberized cluster. Should I do extra configuration for kerberos authentication? I couldn't login to zeppelin ui with a kerberos principal.

2,353 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎04-10-2018 01:24 PM

@Mustafa Kemal MAYUK

I guess you run the Kerberos wizard through Ambari if so the corresponding keytabs must have already been generated so no need for any action.

The Zeppelin daemon needs a Kerberos account and keytab to run in a Kerberized cluster. Have a look at %spark interpreter like the property spark.yarn.keytabs or spark.yarn.principal they should already be filled.

All the configuration is in the shiro.ini, you can even map local users and restart Zeppelin these users should be able to login Zeppelin UI.

These are the default users

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) 
# check the shiro doc at http://shiro.apache.org/configuration.html
# Configuration-INI Sections
admin = admin, admin
user1 = user1, role1, role2
user2 = user2, role3
user3 = user3, role2
# Added user John/John
John = John, role1, role2

But your spark queries won't necessarily run after logging in as one of these. For spark queries to run, the user needs to be a local user on the Linux box. Hence these are just default logins which you can change yourself.

For simple configs, you can add more username/password in text format in [users] section in the above example I added

John = John, role1, role2

And could log on to zeppelin UI as John/John

2,354 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements