Zeppelin Login with Demo LDAP of Knox

With the introduction of ZEPPELIN-548 it now supports Apache Shiro based AD and LDAP authentication. This quick example demonstrates the connection of Zeppelin to the Knox Demo LDAP server.

Start Demo LDAP

Knox comes with a Demo LDAP server provisioned with sample principals for validation use cases. It can be started vie Ambari:

knox_ldap_start

Instead of starting the Demo LDAP server via Ambari it can also be started with the ldap.sh script:

# /usr/hdp/2.5.0.0-1245/knox/bin/ldap.sh 
Usage: ./ldap.sh {start|stop|status|clean}

The LDAP contains multiple users

version: 1
# Please replace with site specific values
dn: dc=hadoop,dc=apache,dc=org
objectclass: organization
objectclass: dcObject
o: Hadoop
dc: hadoop
# Entry for a sample people container
# Please replace with site specific values
dn: ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: people
# Entry for a sample end user
# Please replace with site specific values
dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: Guest
sn: User
uid: guest
userPassword:guest-password
# entry for sample user admin
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: Admin
sn: Admin
uid: admin
userPassword:admin-password
# entry for sample user sam
dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: sam
sn: sam
uid: sam
userPassword:sam-password
# entry for sample user tom
dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: tom
sn: tom
uid: tom
userPassword:tom-password
# create FIRST Level groups branch
dn: ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: groups
description: generic groups branch
# create the analyst group under groups
dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass: groupofnames
cn: analyst
description:analyst  group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
# create the scientist group under groups
dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass: groupofnames
cn: scientist
description: scientist group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org

After starting the Demo LDAP server we can use the above users with passwords for login with Zeppelin.

Configure Zeppelin

Zeppelin uses Apache Shiro for user authentication. In order to activate authentication anonymous login and the given Shiro providers need to be configured. Currently there are two Shiro providers given, the LDAP and the Active Directory realm. For this example we will need to configure the ldapRealm to use the Knox Demo LDAP:

[main]
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
ldapRealm.contextFactory.environment[ldap.searchBase] = dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.url = ldap://<knox_node>:33389
ldapRealm.userDnTemplate = uid={0},ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.authenticationMechanism = SIMPLE

shiro.loginUrl = /api/login

[urls]
#/** = anon
/** = authc

For authorization a bind user would be required. You can use the following setting:

ldapRealm.contextFactory.systemUsername = uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.systemPassword = sam-password

 

Additionally Zeppelin needs to be configured to disallow anonymous login.zeppelin_annonymous_setting

Or in conf/zeppelin-site.xml:

<property>
  <name>zeppelin.anonymous.allowed</name>
  <value>false</value>
</property>

After restarting Zeppelin you can use for example the user sam with sam-password as the password to login to Zeppelin.

Zeppelin start page after authentication setup:

zeppelin_login_page

Login with sam user:

zeppelin_login_samzeppelin_sam_login

LDAP Search

Currently users are discovered vie a DN (Distinguished Name) template for LDAP. Users can only be retrieved in the directory if the exact template can be applied to the DN of a user. For our demo we can use the following template:

uid={0},ou=people,dc=hadoop,dc=apache,dc=org

where {0}  is being replaced with the login user name.

For our Demo LDAP this works fine as all users are below ou=people in the directory. This is not always the case for complex enterprise directories. The AD realm uses a search pattern to find the user based on the the userPrincipalName (UPN).

LDAP Bind User Authentication

Here we use user bind which works for authentication. In order to make roles and authorization work a bind user would be required. Also for the LDAP realm specifying a bind user is possible. For this use:

ldapRealm.contextFactory.systemUsername = uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.systemPassword = sam-password

Connection with Active Directory

When connecting with an Active Directory the userPrincipalName (UPN) is being used to search the user principal in the directory. At the moment the search pattern is hard coded and can not be configured.

"(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))"

Further Readings

 

 

Advertisements

3 thoughts on “Zeppelin Login with Demo LDAP of Knox

  1. Hi which version of zeppelin are you using here ? i cant seem to get the ldap working and im thinking maybe the version 6.2 doesn’t have the full functionality. Thanks.

    Like

  2. Thanks for the quick reply. My problem was that i was trying to use something else other than the dn ( example: sAMAccountName ) for the userDnTemplate. which i think i cant do that.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s