How to configure Apache Zeppelin to use LDAP Authentication on HDInsight

Apache Zeppelin supports integration with Active Directory/LDAP via the Shiro pluggable authentication module.

Configuration files  

Configuration file	Settings	Description
zeppelin-config	zeppelin.anonymous.allowed: false	This disables anonymous access to Zeppelin
zeppelin-env	The shiro_ini_content setting should be configured with the following: [users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INI Sections # LDAP configuration, for user Authentication, currently tested for single Realm [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = CN=<service account tbc>,CN=Users,DC=my,DC=domain,DC=com activeDirectoryRealm.systemPassword = <not the password> #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://use r/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = CN=Users,DC=my,,DC=domain,DC=com activeDirectoryRealm.url = ldap://<domain controller fqdn>:389 #activeDirectoryRealm.groupRolesMap = 'tbc' #activeDirectoryRealm.authorizationCachingEnabled = true shiro.loginUrl = /api/login [urls] # anon means the access is anonymous. # authcBasic means Basic Auth Security # To enfore security, comment the line below and uncomment the next one /** = authc	The first few lines under main defines the user account and password to use to connect to the domain controller. We then define the search base path to use when looking up users/groups. We  then define the domain controller to connect to. The last line enables authentication for all URLs.

You have two options for applying these configuration changes:

• Through the Ambari web interface or; 
• You can make these changes at cluster deployment time with ARM template HDInsight bootstrap configuration, although these configuration files are not officially listed in the Microsoft documentation it is possible to configure these in an ARM template (in the clusterDefinition, configurations section).

The only problem is you will not likely want to add the password to the ARM template so you could add the password via the Ambari web interface post deployment or inject it into the template at runtime.