Zeppelin - stanislawbartkowski/hdpactivedirectory GitHub Wiki
Zeppelin
Zeppelin is web-based tool allowing interactive data analysis. As a default, users and passwords are declared as plain text in shiro.ini configuration.
Prerequisites for non-secure AD/LDAP
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_zeppelin-component-guide/content/config-secure-prod-ad.html Make sure that LDAP connection to AD is operating. https://github.com/stanislawbartkowski/hdpactivedirectory/wiki/Knox#prerequisites-for-active-directoryldap-authentication Collect all necessary data
| Information | Shiro configuration key | Example |
|---|---|---|
| Active Directory CA certificate for secure LDAP | /root/ad.cert | |
| AD container for user | activeDirectoryRealm.searchBase | CN=centos,DC=fyre,DC=net |
| AD/LDAP URL | activeDirectoryRealm.url | ldap://verse1.fyre.net |
| AD container for groups and mapping | activeDirectoryRealm.groupRolesMap | "CN=centos,DC=fyre,DC=net":"admin" |
| AD read-only bind account to scan users and groups container | activeDirectoryRealm.systemUsername | CN=hadoopsearch,CN=centos,DC=fyre,DC=net |
| AD read-only bind account password | activeDirectoryRealm.systemPassword | ***** |
Configure Zeppelin for AD authentication
Prepare shiro.ini configuration data. Path to shiro.ini panel : Ambari console -> Zeppelin -> Configs -> Advanced zeppelin-shiro-ini
# authentication settings
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.url = ldap://verse1.fyre.net
activeDirectoryRealm.searchBase = CN=centos,DC=fyre,DC=net
activeDirectoryRealm.groupRolesMap = "CN=centos,DC=fyre,DC=net":"admin"
activeDirectoryRealm.systemUsername=CN=hadoopsearch,CN=centos,DC=fyre,DC=net
activeDirectoryRealm.systemPassword=******
# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
Remove the existing content of [users] and [main] section. Copy and paste settings into [main] section. Make sure that in [url] section the following lines are uncommented and commented out:
#/** = anon
/** = authc
Restart Zeppelin.
Test
Log on into Zeppelin using AD credentials.
Troubleshooting
Browse through Zeppelin log file is a search for more detailed information.
cd /var/log/zeppelin
Enable Zeppelin for secure AD connection
Make sure that AD can be scanned using a secure port. Import AD CA certificate into JVM secure keystore. It should be conducted on the host where Zeppelin is installed. https://github.com/stanislawbartkowski/hdpactivedirectory/wiki/Knox#knox-and-secure-ldap-ad-connection Modify LDAP URL string, the only difference is ldaps word.
activeDirectoryRealm.url = ldaps://verse1.fyre.net
Restart Zeppelin and test authentication again.
Secure bind user AD password
No one likes password exhibited as plain text. The password can be secured in "hadoop credential" keystore. As root user, obtain hdfs Kerberos ticket.
kinit -kt /etc/security/keytabs/hdfs.headless.keytab {hdfs principal}
hadoop credential create activeDirectoryRealm.systemPassword -provider jceks://file/etc/zeppelin/conf/credentials.jceks
Enter password:
Enter password again:
activeDirectoryRealm.systemPassword has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
chown zeppelin:zeppelin /etc/zeppelin/conf/credentials.jceks chmod 400 /etc/zeppelin/conf/credentials.jceks
In Advanced zeppelin-shiro-ini panel, replace
activeDirectoryRealm.systemPassword={plain text password}
with
activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/etc/zeppelin/conf/credentials.jceks
Restart Zeppelin and test again.
Enable SSL/TSL connection
Use self-signed certificates or CA-signed certificates. Self-signed certificates encrypt the communication, CA-signed additionally makes the service secure and trusted.
Generate self-signed certificate.
keytool -genkey -keyalg RSA -alias zeppelin -keystore zeppelin-keystore.jks -validity 365 -keysize 2048
keytool -list -v -keystore zeppelin-keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: zeppelin
Creation date: 2019-02-13
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=a1.fyre.ibm.com, OU=Zeppelin, O=Zeppelin, L=Zeppelin, ST=Zeppelin, C=XX
Issuer: CN=a1.fyre.ibm.com, OU=Zeppelin, O=Zeppelin, L=Zeppelin, ST=Zeppelin, C=XX
Serial number: 28962d54
.........
mv zeppelin-keystore.jks /etc/zeppelin/conf/ chmod 600 /etc/zeppelin/conf/zeppelin-keystore.jks chown zeppelin:zeppelin /etc/zeppelin/conf/zeppelin-keystore.jks
In Ambari->Zeppelin->Configs-> Advanced zeppelin-site enter the following configuration parameters
| Parameter | Value |
|---|---|
| zeppelin.ssl | true |
| zeppelin.ssl.key.manager.password | **** |
| zeppelin.ssl.keystore.password | *** |
| zeppelin.ssl.keystore.path | /etc/zeppelin/conf/zeppelin-keystore.jks |
Restart Zepppelin. Open Zeppelin UI using a secure connection, for instance: https://a1.fyre.ibm.com:9995 Network traffic is encrypted but the site is still reported as "non-secure" because the server certificate is self-signed.
PAM authentication for Zeppelin
Assuming CentOs or RedHat hosts integrated and registered in Active Directory domain, it is also possible to enable PAM authentication in Zeppelin. PAM authentication compromises local Linux users and Active Directory users. To enable PAM, go to Advanced zeppelin-shiro-ini panel and remove almost everything except lines related to PAM.
[main]
### A sample PAM configuration
pamRealm=org.apache.zeppelin.realm.PamRealm
pamRealm.service=sshd
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
#Uncomment the line below when running Zeppelin-Server in HTTPS mode
#cookie.secure = true
cookie.httpOnly = true
sessionManager.sessionIdCookie = $cookie
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/api/interpreter/** = authc, roles[admin]
#/api/configurations/** = authc, roles[admin]
#/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc
Save and restart Zeppelin.