How to configure Apache Zeppelin to use LDAP Authentication on HDInsight

Microsoft Azure

Apache Zeppelin supports integration with Active Directory/LDAP via the Shiro pluggable authentication module.

Configuration files

Configuration file Settings Description
zeppelin-config zeppelin.anonymous.allowed: false This disables anonymous access to Zeppelin
zeppelin-env The shiro_ini_content setting should be configured with the following:

# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / …) check the shiro doc at Sections
# LDAP configuration, for user Authentication, currently tested for single Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = CN=<service account tbc>,CN=Users,DC=my,DC=domain,DC=com
activeDirectoryRealm.systemPassword = <not the password>
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://use r/zeppelin/zeppelin.jceks
activeDirectoryRealm.searchBase = CN=Users,DC=my,,DC=domain,DC=com
activeDirectoryRealm.url = ldap://<domain controller fqdn>:389
#activeDirectoryRealm.groupRolesMap = ‘tbc’
#activeDirectoryRealm.authorizationCachingEnabled = true
shiro.loginUrl = /api/login
# anon means the access is anonymous.
# authcBasic means Basic Auth Security
# To enfore security, comment the line below and uncomment the next one
/** = authc

The first few lines under main defines the user account and password to use to connect to the domain controller.

We then define the search base path to use when looking up users/groups.

We  then define the domain controller to connect to.

The last line enables authentication for all URLs.

You have two options for applying these configuration changes:
  • Through the Ambari web interface or;
  • You can make these changes at cluster deployment time with ARM template HDInsight bootstrap configuration, although these configuration files are not officially listed in the Microsoft documentation it is possible to configure these in an ARM template (in the clusterDefinition, configurations section).

The only problem is you will not likely want to add the password to the ARM template so you could add the password via the Ambari web interface post deployment or inject it into the template at runtime.

Leave a Reply