Zeppelin Login with Demo LDAP of Knox

With the introduction of ZEPPELIN-548 it now supports Apache Shiro based AD and LDAP authentication. This quick example demonstrates the connection of Zeppelin to the Knox Demo LDAP server.

Start Demo LDAP

Knox comes with a Demo LDAP server provisioned with sample principals for validation use cases. It can be started vie Ambari:

knox_ldap_start

Instead of starting the Demo LDAP server via Ambari it can also be started with the ldap.sh script:

The LDAP contains multiple users

After starting the Demo LDAP server we can use the above users with passwords for login with Zeppelin.

Configure Zeppelin

Zeppelin uses Apache Shiro for user authentication. In order to activate authentication anonymous login and the given Shiro providers need to be configured. Currently there are two Shiro providers given, the LDAP and the Active Directory realm. For this example we will need to configure the ldapRealm to use the Knox Demo LDAP:

For authorization a bind user would be required. You can use the following setting:

 

Additionally Zeppelin needs to be configured to disallow anonymous login.zeppelin_annonymous_setting

Or in conf/zeppelin-site.xml:

After restarting Zeppelin you can use for example the user sam with sam-password as the password to login to Zeppelin.

Zeppelin start page after authentication setup:

zeppelin_login_page

Login with sam user:

zeppelin_login_samzeppelin_sam_login

LDAP Search

Currently users are discovered vie a DN (Distinguished Name) template for LDAP. Users can only be retrieved in the directory if the exact template can be applied to the DN of a user. For our demo we can use the following template:

where {0}  is being replaced with the login user name.

For our Demo LDAP this works fine as all users are below ou=people in the directory. This is not always the case for complex enterprise directories. The AD realm uses a search pattern to find the user based on the the userPrincipalName (UPN).

LDAP Bind User Authentication

Here we use user bind which works for authentication. In order to make roles and authorization work a bind user would be required. Also for the LDAP realm specifying a bind user is possible. For this use:

Connection with Active Directory

When connecting with an Active Directory the userPrincipalName (UPN) is being used to search the user principal in the directory. At the moment the search pattern is hard coded and can not be configured.

Further Readings

 

 

3 thoughts on “Zeppelin Login with Demo LDAP of Knox”

  1. Hi which version of zeppelin are you using here ? i cant seem to get the ldap working and im thinking maybe the version 6.2 doesn’t have the full functionality. Thanks.

  2. Thanks for the quick reply. My problem was that i was trying to use something else other than the dn ( example: sAMAccountName ) for the userDnTemplate. which i think i cant do that.

Leave a Reply

Your email address will not be published. Required fields are marked *