EMR 021 Zeppeline with Active Directory Authentication - qyjohn/AWS_Tutorials GitHub Wiki
This is a step-by-step procedure to setup Zeppelin on EMR to authenticate against AWS Managed Microsoft Active Directory.
Created an AWS Managed Active Directory.
This was done following this particular AWS documentation.
The AWS Managed Active Directory has the following DNS name and DNS addresses. I have a private hosted zone in Route53, which is associated with my VPC. I update the records in the private hosted zone, so that this particular domain name ad.qyjohn.net can be properly resolved in the VPC.
The DNS Name: ad.qyjohn.net
DNS Addresses: 192.168.0.141, 192.168.1.177
Created an EC2 instance running Windows
The EC2 insntance automatically joined the domain. This was done following this particular AWS documentation.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html
RDP into the Windows instance with username Admin and the administrator password for the AWS Managed Active Directory. Install the Active Directory administration tools using Windows PowerShell.
Install-WindowsFeature RSAT-ADDS
Created Test User
This was done following this particular AWS documentation. The user logon name is [email protected].
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_users_groups.html
Quick LDAP Test
Launch an EMR cluster with EMR-5.30.1, with Zeppelin installed. SSH into the master node and confirm that ldapsearch was working.
sudo yum install openldap-clients
ldapsearch -H ldap://ad.qyjohn.net -x -W -D "[email protected]" -b "dc=ad,dc=qyjohn,dc=net"
Create shiro.ini
cd /etc/zeppelin/conf
sudo cp shiro.ini.template shiro.ini
Edit shiro.ini, comment out the [users] section. In the [main] section, use the following configuration:
[main]
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = Admin
activeDirectoryRealm.systemPassword = MyVeryStrongPasswordHere
activeDirectoryRealm.searchBase = CN=Users,DC=ad,DC=qyjohn,DC=net
activeDirectoryRealm.url = ldap://ad.qyjohn.net:389
activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=ad,DC=qyjohn,DC=net":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
Restart Zeppelin
sudo service zeppelin stop
sudo service zeppelin start
With these configurations, I was able to login to Zeppelin with AD user [email protected]. It should be noted that I was using "[email protected]" as the user name.