Wednesday, May 9, 2018

Apache Zeppelin Login Banner

Apache Zeppelin does not yet have an easy way to include a logon banner, login banner, warning banner, 'notice and consent banner', 'approved system use notification', security message, or whatever-you-want-to-call-it.

A client needed one so I put together these instructions for a workaround. I plan on submitting a proper patch to Zeppelin if I can find some spare time. Hopefully someone else will do it first :)

These instructions use Hortonworks HDP 2.6.4.0-91 for specific locations. If you are using something else, you just need to change the path of the war and html file.

Zeppelin serves the login popup from /usr/hdp/2.6.4.0-91/zeppelin/webapps/webapp/components/login/login.html
It is possible to just change that file, but every time the Zeppelin service is restarted, the Zeppelin war is unpacked and login.html is overwritten.

We will alter the login.html copy inside the war file. This will have to be redone every time Zeppelin  is upgraded (such as a new HDP release), but not during normal operations.

#http://awcoleman.blogspot.com/2018/05/apache-zeppelin-login-banner.html
#Find the Zeppelin war and record the owner and permissions
ls -lah /usr/hdp/2.6.4.0-91/zeppelin/lib/zeppelin-web-0.7.3.2.6.4.0-91.war
#Make a backup copy
cp -p /usr/hdp/2.6.4.0-91/zeppelin/lib/zeppelin-web-0.7.3.2.6.4.0-91.war ~/zeppelin-web-0.7.3.2.6.4.0-91.war.$(date +'%Y%m%d.%H%M').bak
#Unpack and change the login.html file. Could use a secure directory instead of /tmp here if wanted
cd /tmp
unzip /usr/hdp/2.6.4.0-91/zeppelin/lib/zeppelin-web-0.7.3.2.6.4.0-91.war components/login/login.html
#Put your banner message in a variable. Can be normal text or html.
export BANNERMSG="<big>UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.</big> You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."
#Change and repack (zip warning: Local Entry CRC does not match CD is OK)
sed -i "s|ng-model=\"loginParams.password\">|& <label> ${BANNERMSG} </label>|" components/login/login.html
sudo zip --update /usr/hdp/2.6.4.0-91/zeppelin/lib/zeppelin-web-0.7.3.2.6.4.0-91.war components/login/login.html
#Replace owner and permissions from those recorded above
sudo chown zeppelin:zeppelin /usr/hdp/2.6.4.0-91/zeppelin/lib/zeppelin-web-0.7.3.2.6.4.0-91.war
sudo chmod 755 /usr/hdp/2.6.4.0-91/zeppelin/lib/zeppelin-web-0.7.3.2.6.4.0-91.war
#Restart the Zeppelin service from the Ambari Web UI
#Can check after restart
less /usr/hdp/2.6.4.0-91/zeppelin/webapps/webapp/components/login/login.html
#Make sure to clear browser cache/restart browser if changes do not show
view raw Update Zeppelin WAR to include Logon Banner hosted with ❤ by GitHub
The result is a message that appears on the login popup.

Posted by at No comments:

Saturday, February 24, 2018

Very quick Domain Controller Cert Auth for testing

I needed to test certain scenarios for a client against a Microsoft Active Directory Domain Controller and Intermediate Certificate Authority. The easiest way was to use Vagrant with the mwrock/Windows2012R2 box.

I wasn't able to automate the complete install, but did get it to a set of cut-and-paste lines.

Code is at [ https://github.com/awcoleman/vagrant_win_ad_dc_ca_test ]

Copy Vagrantfile into new directory
Follow directions in README.txt

The next iteration will probably use Ansible support for Windows (unfortunately there is no CA module)

Posted by at No comments:
Subscribe to: Posts (Atom)