mirror of
https://github.com/apache/zeppelin
synced 2026-05-24 09:38:26 +00:00
### What is this PR for? Improving documentation page. Please check *TODO* and *Screenshots* sections for detail. The motivation is described in [the JIRA ticket](https://issues.apache.org/jira/browse/ZEPPELIN-2583) and discussion is ongoing on the mailing list. ### What type of PR is it? [Improvement | Documentation] ### Todos * [x] - improved the navbar style * [x] - improved the main page * [x] - re-organized content structure * [x] - added tutorial pages: `spark_with_zeppelin.md`, `python_with_zeppelin.md`, `sql_with_zeppelin.md` for overview * [x] - added `multi_user_support.md` page to provide overview * [x] - added the empty `interpreter_binding_mode` page. This will be handed in the different issue: [ZEPPELIN-2582](https://issues.apache.org/jira/browse/ZEPPELIN-2582) * [x] - added the empty `trouble_shooting` page. This can be filled in the following PRs. * [x] - added the empty `useful_developer_tools` page. This can be filled in the following PRs. ### What is the Jira issue? [ZEPPELIN-2596](https://issues.apache.org/jira/browse/ZEPPELIN-2596) ### How should this be tested? 1. checkout 2. `cd docs` 3. `bundle install` (make sure that you have ruby 2.1.0+ and bundle) 4. `bundle exec jekyll serve --watch` 5. open `localhost:4000` ### Screenshots (if appropriate) #### better navbar: before  #### better navbar: after  #### improved main page: before  #### improved main page: after  #### organized content structure: before  #### organized content structure: after  ### Questions: * Does the licenses files need update? - NO * Is there breaking changes for older versions? - NO * Does this needs documentation? - related with docs Author: 1ambda <1amb4a@gmail.com> Closes #2371 from 1ambda/updating-version-doc and squashes the following commits:eb02fa967[1ambda] fix: navbar focus color applies after folding026379ed6[1ambda] fix: Remove docs/.listen_testa7dd4737b[1ambda] fix: sora's comment 1.218c5058f7[1ambda] fix: resolve description in python_with_zeppelin.mdd3ad67c73[1ambda] fix: sora's comment 4d133dbbcc[1ambda] fix: resolve sora's comment 3513c6ff2c[1ambda] fix: resolve sora's comment 1.14c2946928[1ambda] fix: resovle sora's comment 21c3946ac6[1ambda] fix: sora's comment 14d6e4267f[1ambda] fix: Resolve sola's comment 3d0524cafe[1ambda] fix: Set less shadow for nav5f1f998ba[1ambda] docs: Add useful_develop_tools.md9dfd62c74[1ambda] fix: Typo in installation.md30f7d7e06[1ambda] fix: Typo in helium ctrld6877e792[1ambda] docs: Add python_with_zeppelin.md7027e96c0[1ambda] docs: Improve python conda, docker doc stylee55b50a9d[1ambda] fix: Invalid URLs75ddeeaff[1ambda] docs: replace URIs in interpreter5b43993a4[1ambda] docs: Add sql_with_zeppelin053794e84[1ambda] docs: Add spark_with_zeppelin.mdd4d88b9c7[1ambda] docs: Improve proxy docb46cdd126[1ambda] docs: Add empty interpreter_binding_mode.md06fcb239e[1ambda] docs: Add empty personalized_mode.md4991cf0a7[1ambda] docs: Update upgrading.md53142b7a0[1ambda] fix: Simplify install.md8a5c1e721[1ambda] docs: Add multi_user_support.md34095775e[1ambda] fix: Increase font size to 15pxa03b04b33[1ambda] fix: Remove sample text from trouble_shooting.md199842590[1ambda] fix: Remove docker doc link66a2a7d26[1ambda] docs: Improve impersonation page0a6e3fc1d[1ambda] docs: Improve install docccd999ed5[1ambda] docs: Improve helium docf8d742d08[1ambda] fix: an invalid link in navbarb7aa5f884[1ambda] fix: URLs in development61a175d94[1ambda] docs: Update install.md4c56de5c4[1ambda] fix: URLs in setup0b1d63513[1ambda] fix: URLs in quickstart28970a4fe[1ambda] feat: Add docs/usage735946bca[1ambda] feat: rename /quickstartb351cf237[1ambda] fix: Add missing linksb70770b4f[1ambda] feat: Change URLs in nav, index94e80aef6[1ambda] fix: doens't display navbar version in small6e0cab110[1ambda] feat: Update doc section namesb9ce256ff[1ambda] feat: Hide version in navbar when mdf8bab52be[1ambda] fix: Better image display in index.mdeeb37d5b5[1ambda] fix: Add RL padding for mobile browserceb60b5ee[1ambda] feat: Style collapsed nav for mobile browser4ebafb4b6[1ambda] commit
132 lines
6.3 KiB
Markdown
132 lines
6.3 KiB
Markdown
---
|
|
layout: page
|
|
title: "HTTP Basic Auth using NGINX"
|
|
description: "There are multiple ways to enable authentication in Apache Zeppelin. This page describes HTTP basic auth using NGINX."
|
|
group: setup/security
|
|
---
|
|
<!--
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
{% include JB/setup %}
|
|
|
|
# Authentication for NGINX
|
|
|
|
<div id="toc"></div>
|
|
|
|
[Build in authentication mechanism](./shiro_authentication.html) is recommended way for authentication. In case of you want authenticate using NGINX and [HTTP basic auth](https://en.wikipedia.org/wiki/Basic_access_authentication), please read this document.
|
|
|
|
## HTTP Basic Authentication using NGINX
|
|
|
|
> **Quote from Wikipedia:** NGINX is a web server. It can act as a reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer and an HTTP cache.
|
|
|
|
So you can use NGINX server as proxy server to serve HTTP Basic Authentication as a separate process along with Zeppelin server.
|
|
Here are instructions how to accomplish the setup NGINX as a front-end authentication server and connect Zeppelin at behind.
|
|
|
|
This instruction based on Ubuntu 14.04 LTS but may work with other OS with few configuration changes.
|
|
|
|
1. Install NGINX server on your server instance
|
|
|
|
You can install NGINX server with same box where zeppelin installed or separate box where it is dedicated to serve as proxy server.
|
|
|
|
```
|
|
$ apt-get install nginx
|
|
```
|
|
> **NOTE :** On pre 1.3.13 version of NGINX, Proxy for Websocket may not fully works. Please use latest version of NGINX. See: [NGINX documentation](https://www.nginx.com/blog/websocket-nginx/).
|
|
|
|
1. Setup init script in NGINX
|
|
|
|
In most cases, NGINX configuration located under `/etc/nginx/sites-available`. Create your own configuration or add your existing configuration at `/etc/nginx/sites-available`.
|
|
|
|
```
|
|
$ cd /etc/nginx/sites-available
|
|
$ touch my-zeppelin-auth-setting
|
|
```
|
|
|
|
Now add this script into `my-zeppelin-auth-setting` file. You can comment out `optional` lines If you want serve Zeppelin under regular HTTP 80 Port.
|
|
|
|
```
|
|
upstream zeppelin {
|
|
server [YOUR-ZEPPELIN-SERVER-IP]:[YOUR-ZEPPELIN-SERVER-PORT]; # For security, It is highly recommended to make this address/port as non-public accessible
|
|
}
|
|
|
|
# Zeppelin Website
|
|
server {
|
|
listen [YOUR-ZEPPELIN-WEB-SERVER-PORT];
|
|
listen 443 ssl; # optional, to serve HTTPS connection
|
|
server_name [YOUR-ZEPPELIN-SERVER-HOST]; # for example: zeppelin.mycompany.com
|
|
|
|
ssl_certificate [PATH-TO-YOUR-CERT-FILE]; # optional, to serve HTTPS connection
|
|
ssl_certificate_key [PATH-TO-YOUR-CERT-KEY-FILE]; # optional, to serve HTTPS connection
|
|
|
|
if ($ssl_protocol = "") {
|
|
rewrite ^ https://$host$request_uri? permanent; # optional, to force use of HTTPS
|
|
}
|
|
|
|
location / { # For regular websever support
|
|
proxy_pass http://zeppelin;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-NginX-Proxy true;
|
|
proxy_redirect off;
|
|
auth_basic "Restricted";
|
|
auth_basic_user_file /etc/nginx/.htpasswd;
|
|
}
|
|
|
|
location /ws { # For websocket support
|
|
proxy_pass http://zeppelin/ws;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade websocket;
|
|
proxy_set_header Connection upgrade;
|
|
proxy_read_timeout 86400;
|
|
}
|
|
}
|
|
```
|
|
|
|
Then make a symbolic link to this file from `/etc/nginx/sites-enabled/` to enable configuration above when NGINX reloads.
|
|
|
|
```
|
|
$ ln -s /etc/nginx/sites-enabled/my-zeppelin-auth-setting /etc/nginx/sites-available/my-zeppelin-auth-setting
|
|
```
|
|
|
|
1. Setup user credential into `.htpasswd` file and restart server
|
|
|
|
Now you need to setup `.htpasswd` file to serve list of authenticated user credentials for NGINX server.
|
|
|
|
```
|
|
$ cd /etc/nginx
|
|
$ htpasswd -c htpasswd [YOUR-ID]
|
|
$ NEW passwd: [YOUR-PASSWORD]
|
|
$ RE-type new passwd: [YOUR-PASSWORD-AGAIN]
|
|
```
|
|
Or you can use your own apache `.htpasswd` files in other location for setting up property: `auth_basic_user_file`
|
|
|
|
Restart NGINX server.
|
|
|
|
```
|
|
$ service nginx restart
|
|
```
|
|
Then check HTTP Basic Authentication works in browser. If you can see regular basic auth popup and then able to login with credential you entered into `.htpasswd` you are good to go.
|
|
|
|
1. More security consideration
|
|
|
|
* Using HTTPS connection with Basic Authentication is highly recommended since basic auth without encryption may expose your important credential information over the network.
|
|
* Using [Shiro Security feature built-into Zeppelin](./shiro_authentication.html) is recommended if you prefer all-in-one solution for authentication but NGINX may provides ad-hoc solution for re-use authentication served by your system's NGINX server or in case of you need to separate authentication from zeppelin server.
|
|
* It is recommended to isolate direct connection to Zeppelin server from public internet or external services to secure your zeppelin instance from unexpected attack or problems caused by public zone.
|
|
|
|
## Another option
|
|
|
|
Another option is to have an authentication server that can verify user credentials in an LDAP server.
|
|
If an incoming request to the Zeppelin server does not have a cookie with user information encrypted with the authentication server public key, the user
|
|
is redirected to the authentication server. Once the user is verified, the authentication server redirects the browser to a specific URL in the Zeppelin server which sets the authentication cookie in the browser.
|
|
The end result is that all requests to the Zeppelin web server have the authentication cookie which contains user and groups information.
|