With the introduction of ZEPPELIN-548 it now supports Apache Shiro based AD and LDAP authentication. This quick example demonstrates the connection of Zeppelin to the Knox Demo LDAP server.
Start Demo LDAP
Knox comes with a Demo LDAP server provisioned with sample principals for validation use cases. It can be started vie Ambari:
Instead of starting the Demo LDAP server via Ambari it can also be started with the ldap.sh script:
# /usr/hdp/2.5.0.0-1245/knox/bin/ldap.sh
Usage: ./ldap.sh {start|stop|status|clean}
The LDAP contains multiple users
version: 1 # Please replace with site specific values dn: dc=hadoop,dc=apache,dc=org objectclass: organization objectclass: dcObject o: Hadoop dc: hadoop # Entry for a sample people container # Please replace with site specific values dn: ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:organizationalUnit ou: people # Entry for a sample end user # Please replace with site specific values dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: Guest sn: User uid: guest userPassword:guest-password # entry for sample user admin dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: Admin sn: Admin uid: admin userPassword:admin-password # entry for sample user sam dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: sam sn: sam uid: sam userPassword:sam-password # entry for sample user tom dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: tom sn: tom uid: tom userPassword:tom-password # create FIRST Level groups branch dn: ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:organizationalUnit ou: groups description: generic groups branch # create the analyst group under groups dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass: groupofnames cn: analyst description:analyst group member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org # create the scientist group under groups dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass: groupofnames cn: scientist description: scientist group member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
After starting the Demo LDAP server we can use the above users with passwords for login with Zeppelin.
Configure Zeppelin
Zeppelin uses Apache Shiro for user authentication. In order to activate authentication anonymous login and the given Shiro providers need to be configured. Currently there are two Shiro providers given, the LDAP and the Active Directory realm. For this example we will need to configure the ldapRealm to use the Knox Demo LDAP:
[main]
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
ldapRealm.contextFactory.environment[ldap.searchBase] = dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.url = ldap://<knox_node>:33389
ldapRealm.userDnTemplate = uid={0},ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
shiro.loginUrl = /api/login
[urls]
#/** = anon
/** = authc
For authorization a bind user would be required. You can use the following setting:
ldapRealm.contextFactory.systemUsername = uid=sam,ou=people,dc=hadoop,dc=apache,dc=org ldapRealm.contextFactory.systemPassword = sam-password
Additionally Zeppelin needs to be configured to disallow anonymous login.
Or in conf/zeppelin-site.xml:
<property> <name>zeppelin.anonymous.allowed</name> <value>false</value> </property>
After restarting Zeppelin you can use for example the user sam with sam-password as the password to login to Zeppelin.
Zeppelin start page after authentication setup:
Login with sam user:
LDAP Search
Currently users are discovered vie a DN (Distinguished Name) template for LDAP. Users can only be retrieved in the directory if the exact template can be applied to the DN of a user. For our demo we can use the following template:
uid={0},ou=people,dc=hadoop,dc=apache,dc=org
where {0} is being replaced with the login user name.
For our Demo LDAP this works fine as all users are below ou=people in the directory. This is not always the case for complex enterprise directories. The AD realm uses a search pattern to find the user based on the the userPrincipalName (UPN).
LDAP Bind User Authentication
Here we use user bind which works for authentication. In order to make roles and authorization work a bind user would be required. Also for the LDAP realm specifying a bind user is possible. For this use:
ldapRealm.contextFactory.systemUsername = uid=sam,ou=people,dc=hadoop,dc=apache,dc=org ldapRealm.contextFactory.systemPassword = sam-password
Connection with Active Directory
When connecting with an Active Directory the userPrincipalName (UPN) is being used to search the user principal in the directory. At the moment the search pattern is hard coded and can not be configured.
"(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))"
Further Readings
- Shiro authentication for Apache Zeppelin
- Apache Shiro
- Does the userPrincipalName (UPN) attribute always exist in Active Directory?
henning.kropponline.de 
Hi which version of zeppelin are you using here ? i cant seem to get the ldap working and im thinking maybe the version 6.2 doesn’t have the full functionality. Thanks.
LikeLike
Hi Sam, it should work with 6.2
Please let me know, if you were able to resolve your issue.
Thanks
LikeLike
Thanks for the quick reply. My problem was that i was trying to use something else other than the dn ( example: sAMAccountName ) for the userDnTemplate. which i think i cant do that.
LikeLike