Skip to content

Instantly share code, notes, and snippets.

@zeltovhorton

zeltovhorton/ldap_zeppelin_hcc_public.md Secret

Last active November 8, 2016 17:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zeltovhorton/ce3e250a25481bcab1de63c9271acb07 to your computer and use it in GitHub Desktop.
Save zeltovhorton/ce3e250a25481bcab1de63c9271acb07 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ldap_zeppelin_hcc_public.md

How to setup a multi user (Active Directory backed) zeppelin integrated with ldap and using Livy Rest server .

Pre-requisites:

Setup the LDAP/AD integration for ambari using this lab (Enable Active Directory Authentication for Ambari): https://github.com/HortonworksUniversity/Security_Labs#lab-1

If you are using self-signed certificate, Download the SSL certificate to where zeppelin is running

mkdir -p /etc/security/certificates

store the certificate in this directory

Import certificate for zeppelin to work with the self signed certificate.

cd /etc/security/certificates  
keytool -import -alias sampledcfieldcloud -file ad01.your.domain.name.cer -keystore /usr/jdk64/jdk1.8.0_77/jre/lib/security/cacerts
keytool -list -v -keystore /usr/jdk64/jdk1.8.0_77/jre/lib/security/cacerts | grep sampledcfieldcloud

Create home directory in hdfs for the user that you will login:

hdfs dfs -mkdir /user/hadoopadmin
hdfs dfs -chown hadoopadmin:hdfs /user/hadoopadmin

Enable multi-user zeppelin use ambari -> zeppelin notebook configs

expand the Advanced zeppelin-env and look for shiro.ini entry. Below is configuration that works with our sampledcfield Cloud.

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
#admin = password1
#user1 = password2, role1, role2
#user2 = password3, role3
#user3 = password4, role2

# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm 
#activeDirectoryRealm.systemUsername = CN=binduser,OU=ServiceUsers,DC=sampledcfield,DC=hortonworks,DC=com
activeDirectoryRealm.systemUsername = binduser
activeDirectoryRealm.systemPassword = xxxxxx 
activeDirectoryRealm.principalSuffix = @your.domain.name
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks 
activeDirectoryRealm.searchBase = DC=sampledcfield,DC=hortonworks,DC=com

activeDirectoryRealm.url = ldaps://ad01.your.domain.name:636 
activeDirectoryRealm.groupRolesMap = "CN=hadoop-admins,OU=CorpUsers,DC=sampledcfield,DC=hortonworks,DC=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = true 


sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager 
securityManager.cacheManager = $cacheManager 
securityManager.sessionManager = $sessionManager 
securityManager.sessionManager.globalSessionTimeout = 86400000 

#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
#ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com
#ldapRealm.contextFactory.url = ldap://ldaphost:389
#ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
#securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles] 
admin = * 

[urls] 
# anon means the access is anonymous. 
# authcBasic means Basic Auth Security 
# To enfore security, comment the line below and uncomment the next one 
/api/version = anon 
/api/interpreter/** = authc, roles[admin] 
/api/credential/** = authc, roles[admin] 
/api/configurations/** = authc, roles[admin] 
#/** = anon 
/** = authc 
#/** = authcBasic

Grant Livy ability to impersonate

Use Ambari to update core-site.xml, restart YARN & HDFS after making this change.

<property>
  <name>hadoop.proxyuser.livy.groups</name>
  <value>*</value>
</property>


<property>
  <name>hadoop.proxyuser.livy.hosts</name>
  <value>*</value>
</property>

Restart hdfs and yarn after this update.

After running the livy notebook make sure the yarn logs show the logged in user as the user that is running, hadoopadmin is the user that is logged in the zeppelin notebook. You should see 2 applications running the livy-session-X and the zeppelin app running in yarn

application_1478287338271_0003	hadoopadmin	livy-session-0
application_1478287338271_0002	zeppelin	Zeppelin

Troubleshooting, explore zeppelin and livy log files:

tail -f /var/log/zeppelin/zeppelin-zeppelin-az1secure0.log
tail -f /var/log/zeppelin/zeppelin-interpreter-livy-zeppelin-az1secure0.log

References:

https://zeppelin.apache.org/docs/0.6.0/interpreter/livy.html#faq http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2-trunk/bk_command-line-installation/content/ch21s07s02.html http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2-trunk/bk_command-line-installation/content/configuring_zep.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment