Zeppelin configuration parameters

Allow user-managed interpreters

Allows you to use Zeppelin interpreters with the user-managed=true property. If enabled, ADCM will preserve custom user properties when restarting Zeppelin

true

Custom interpreter.json

Enables the interpreter configuration defined in the interpreter.json ADCM field

false

interpreter.json

The custom JSON definition of interpreters to be available in the Zeppelin web UI. Defining interpreters in this way overwrites all (both user and system) interpreters settings

interpreters.json

interpreter.sh

The custom contents of the interpreter.sh script. This script is invoked on the Zeppelin startup and is used to prepare the environment for proper Zeppelin operation

interpreters.sh

zeppelin.dep.localrepo

The local repository for the dependency loader

/srv/zeppelin/local-repo

zeppelin.server.addr

The Zeppelin server binding address

0.0.0.0

zeppelin.server.port

The server port

8180

zeppelin.server.kerberos.principal

The principal name to load from the keytab

 — 

zeppelin.server.kerberos.keytab

Path to the keytab file

 — 

zeppelin.shell.auth.type

Sets the authentication type. Possible values are SIMPLE and KERBEROS

 — 

zeppelin.shell.principal

The principal name to load from the keytab

 — 

zeppelin.shell.keytab.location

Path to the keytab file

 — 

zeppelin.jdbc.auth.type

Sets the authentication type. Possible values are SIMPLE and KERBEROS

 — 

zeppelin.jdbc.keytab.location

Path to the keytab file

 — 

zeppelin.jdbc.principal

The principal name to load from the keytab

 — 

zeppelin.jdbc.auth.kerberos.proxy.enable

When the KERBEROS authentication type is used, this parameter enables/disables proxy with the login user to get the connection

true

spark.yarn.keytab

The full path to the file that contains the keytab for the principal. This keytab will be copied to the node running the YARN Application Master via the Secure Distributed Cache, for renewing the login tickets and the delegation tokens periodically

 — 

spark.yarn.principal

The principal to be used to login to KDC, while running on secure HDFS

 — 

zeppelin.livy.keytab

Path to the keytab file

 — 

zeppelin.livy.principal

The principal name to load from the keytab

 — 

zeppelin.server.ssl.port

The port number for SSL communication

8180

zeppelin.ssl

Defines whether to use SSL

false

zeppelin.ssl.keystore.path

Path to the keystore used by Zeppelin

 — 

zeppelin.ssl.keystore.password

The password to access the keystore file

 — 

zeppelin.ssl.truststore.path

Path to the truststore used by Zeppelin

 — 

zeppelin.ssl.truststore.password

The password to access the truststore file

 — 

Zeppelin Server Heap Memory

Sets initial (-Xms) and maximum (-Xmx) Java heap size for Zeppelin Server

-Xms700m -Xmx1024m

Users/password map

A map of type <username: password>. For example, <myUser1: password1>

 — 

sessionManager

A class that handles the creation, maintenance, and cleanup of all application sessions

org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager

The SessionManager component implementation for SecurityManager

$sessionManager

securityManager.sessionManager.globalSessionTimeout

Timeout in milliseconds after which a session gets expired and the user is required to log in again

86400000

shiro.loginUrl

Sets the loginUrl property for any Shiro’s default filters

/api/login

cookie

Class responsible for cookie handling

org.apache.shiro.web.servlet.SimpleCookie

cookie.name

Name of the session cookie used by Shiro. This parameter must be the same as the responseExcludeHeaders parameter in /usr/lib/knox/data/services/zeppelinui/{version}/service.xml

JSESSIONID

cookie.httpOnly

Defines whether Shiro’s cookies should have the HttpOnly attribute

true

cookie.secure

Defines whether Shiro’s cookies should have the Secure attribute

false

sessionManager.sessionIdCookie

Cookie implementation for sessionManager

$cookie

ldapRealm

Extends the Apache Shiro provider to allow for LDAP searches and to provide group membership to the authorization provider

org.apache.zeppelin.realm.LdapRealm

ldapRealm.contextFactory.authenticationMechanism

Specifies the authentication mechanism used by the LDAP service

simple

ldapRealm.contextFactory.url

The URL of the source LDAP. For example, ldap://ldap.example.com:389

 — 

ldapRealm.userDnTemplate

Optional. Knox uses this value to construct the UserDN for the authentication bind. Specify the UserDN where the first attribute is {0} indicating the attribute which matches the user log in token. For example, the UserDnTemplate for Apache DS bundled with Knox is uid={0},ou=people,dc=hadoop,dc=apache,dc=org

 — 

ldapRealm.pagingSize

Sets the LDAP paging size

100

ldapRealm.authorizationEnabled

Enables authorization for Shiro ldapRealm

true

ldapRealm.contextFactory.systemAuthenticationMechanism

Defines the authentication mechanism to use for Shiro ldapRealm context factory. Possible values are simple and digest-md+5

 — 

ldapRealm.userLowerCase

Forces username returned from LDAP to be lower-cased

true

ldapRealm.memberAttributeValueTemplate

The attribute that identifies a user in the group. For exmaple: cn={0},ou=people,dc=hadoop,dc=apache,dc=org

 — 

ldapRealm.searchBase

The starting DN in the LDAP DIT for the search. Only subtrees of the specified subtree are searched. For example: dc=hadoop,dc=apache,dc=org

 — 

ldapRealm.userSearchBase

Search base for user bind DN. Defaults to the value of ldapRealm.searchBase if no value is defined. If ldapRealm.userSearchAttributeName is defined, also define a value for either ldapRealm.searchBase or ldapRealm.userSearchBase

 — 

ldapRealm.groupSearchBase

Search base used to search for groups. Defaults to the value of ldapRealm.searchBase. Only set if ldapRealm.authorizationEnabled=true

 — 

ldapRealm.groupObjectClass

Set the value to the Objectclass that identifies group entries in LDAP

groupofnames

ldapRealm.userSearchAttributeName

Specify the attribute that corresponds to the user login token. This attribute is used with the search results to compute the UserDN for the authentication bind

sAMAccountName

ldapRealm.memberAttribute

Set the value to the attribute that defines group membership. When the value is rememberer, found groups are treated as dynamic groups

member

ldapRealm.userSearchScope

Defines searchScope. Possible values are subtree, one, base

subtree

ldapRealm.groupSearchScope

Defines groupSearchScope. Possible values are subtree, one, base

subtree

ldapRealm.contextFactory.systemUsername

Set to the LDAP Service Account that the Zeppelin uses for LDAP searches. If required, specify the full account UserDN. For example: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org. This account requires read permission to the search base DN

 — 

ldapRealm.contextFactory.systemPassword

Sets the password for systemUsername. This password will be added to the keystore using hadoop credentials

 — 

ldapRealm.groupSearchEnableMatchingRuleInChain

Enables support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator

true

ldapRealm.rolesByGroup

Optional mapping from physical groups to logical application roles. For example: "LDN_USERS":"user_role", "NYK_USERS":"user_role", "HKG_USERS":"user_role", "GLOBAL_ADMIN":"admin_role"

 — 

ldapRealm.allowedRolesForAuthentication

Optional list of roles that are allowed to authenticate. If not specified, all groups are allowed to authenticate (login). This changes nothing for url-specific permissions that will continue to work as specified in [urls]. For example: admin_role,user_role

 — 

ldapRealm.permissionsByRole

Optional. Sets permissions by role. For example: 'user_role = :ToDoItemsJdo::*, :ToDoItem::*; admin_role = *'

 — 

securityManager.realms

Specifies a list of Apache Shiro Realms

$ldapRealm

sessionManager

A class that handles the creation, maintenance, and cleanup of all application sessions

org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager

The SessionManager component implementation for SecurityManager

$sessionManager

securityManager.sessionManager.globalSessionTimeout

Timeout in milliseconds after which a session gets expired and the user is required to log in again

86400000

shiro.loginUrl

Sets the loginUrl property for any Shiro’s default filters

/api/login

cookie

Class responsible for cookie handling

org.apache.shiro.web.servlet.SimpleCookie

cookie.name

Name of the session cookie used by Shiro. This parameter must be the same as the responseExcludeHeaders parameter in /usr/lib/knox/data/services/zeppelinui/{version}/service.xml

JSESSIONID

cookie.httpOnly

Defines whether Shiro’s cookies should have the HttpOnly attribute

true

cookie.secure

Defines whether Shiro’s cookies should have the Secure attribute

false

sessionManager.sessionIdCookie

Cookie implementation for sessionManager

$cookie

activeDirectoryRealm

The Shiro realm to work with Active Directory

org.apache.zeppelin.realm.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername

The user name for connecting to Active Directory

 — 

activeDirectoryRealm.systemPassword

The user password for connecting to Active Directory

 — 

activeDirectoryRealm.searchBase

The base DN of your Active Directory server. For example: CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM

 — 

activeDirectoryRealm.url

The URL of your Active Directory server. For example: ldap://ldap.example.com:389

 — 

activeDirectoryRealm.groupRolesMap

A mapping of AD groups to Apache Shiro roles. For example: 'CN=aGroupName,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM':'group1', 'CN=bGroupName,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM':'group2'

 — 

activeDirectoryRealm.authorizationCachingEnabled

Enables/disables caching of authorization decisions

false

securityManager.realms

The realm used by securityManager

$activeDirectoryRealm

sessionManager

A class that handles the creation, maintenance, and cleanup of all application sessions

org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager

The SessionManager component implementation for SecurityManager

$sessionManager

securityManager.sessionManager.globalSessionTimeout

Timeout in milliseconds after which a session gets expired and the user is required to log in again

86400000

shiro.loginUrl

Sets the loginUrl property for any Shiro’s default filters

/api/login

cookie

Class responsible for cookie handling

org.apache.shiro.web.servlet.SimpleCookie

cookie.name

Name of the session cookie used by Shiro. This parameter must be the same as the responseExcludeHeaders parameter in /usr/lib/knox/data/services/zeppelinui/{version}/service.xml

JSESSIONID

cookie.httpOnly

Defines whether Shiro’s cookies should have the HttpOnly attribute

true

cookie.secure

Defines whether Shiro’s cookies should have the Secure attribute

false

sessionManager.sessionIdCookie

Cookie implementation for sessionManager

$cookie

knoxJwtRealm

The Shiro realm to work with Knox

org.apache.zeppelin.realm.ActiveDirectoryGroupRealm

knoxJwtRealm.providerUrl

The URL of your Knox server. For example: https://<knox-host>:8443/

 — 

knoxJwtRealm.login

The URL to perform the login action

gateway/knoxssout/api/v1/webssout

knoxJwtRealm.logout

The URL to perform the logout action

gateway/knoxssout/api/v1/webssout

knoxJwtRealm.logoutAPI

Enables the logout API action

true

knoxJwtRealm.redirectParam

A URL to redirect the client after the logout

originalUrl

knoxJwtRealm.cookieName

Name of the cookie used by Knox SSO

hadoop-jwt

knoxJwtRealm.publicKeyPath

A path to the public key (certificate) used by Knox

/usr/lib/zeppelin/gateway.cer

sessionManager

A class that handles the creation, maintenance, and cleanup of all application sessions

org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager

The SessionManager component implementation for SecurityManager

$sessionManager

securityManager.sessionManager.globalSessionTimeout

Timeout in milliseconds after which a session gets expired and the user is required to log in again

86400000

shiro.loginUrl

Sets the loginUrl property for any Shiro’s default filters

/api/login

cookie

Class responsible for cookie handling

org.apache.shiro.web.servlet.SimpleCookie

cookie.httpOnly

Defines whether Shiro’s cookies should have the HttpOnly attribute

true

cookie.secure

Defines whether Shiro’s cookies should have the Secure attribute

false

sessionManager.sessionIdCookie

Cookie implementation for sessionManager

$cookie

cookie.name

Name of the session cookie used by Shiro. This parameter must be the same as the responseExcludeHeaders parameter in /usr/lib/knox/data/services/zeppelinui/{version}/service.xml

WWW-AUTHENTICATE

knoxJwtRealm.groupPrincipalMapping

Defines principal and group mapping rules

group.principal.mapping

knoxJwtRealm.principalMapping

Defines principal mapping rules

principal.mapping

Additional main section in shiro.ini

Allows adding additional key/value pairs to the main section of the shiro.ini file

 — 

Additional roles section in shiro.ini

Allows adding additional key/value pairs to the roles section of the shiro.ini file

 — 

Additional urls section in shiro.ini

Allows adding additional key/value pairs to the urls section of the shiro.ini file

 — 

Encryption enable

Enables or disables the credential encryption feature. When enabled, Zeppelin stores configuration passwords and credentials required for interacting with other services in the encrypted form

false

Credential provider path

Path to a keystore file with secrets

jceks://file/etc/zeppelin/conf/zeppelin.jceks

Custom jceks

Set to true to use a custom JCEKS file. Set to false to use the default auto-generated JCEKS file

false

Custom zeppelin-site.xml

 — 

Custom zeppelin-env.sh

Custom log4j.properties