zeppelin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ahyoung...@apache.org
Subject svn commit: r1776596 - /zeppelin/site/docs/0.7.0-SNAPSHOT/install/install.html
Date Fri, 30 Dec 2016 15:57:50 GMT
Author: ahyoungryu
Date: Fri Dec 30 15:57:50 2016
New Revision: 1776596

URL: http://svn.apache.org/viewvc?rev=1776596&view=rev
Log: (empty)

Modified:
    zeppelin/site/docs/0.7.0-SNAPSHOT/install/install.html

Modified: zeppelin/site/docs/0.7.0-SNAPSHOT/install/install.html
URL: http://svn.apache.org/viewvc/zeppelin/site/docs/0.7.0-SNAPSHOT/install/install.html?rev=1776596&r1=1776595&r2=1776596&view=diff
==============================================================================
--- zeppelin/site/docs/0.7.0-SNAPSHOT/install/install.html (original)
+++ zeppelin/site/docs/0.7.0-SNAPSHOT/install/install.html Fri Dec 30 15:57:50 2016
@@ -243,9 +243,9 @@ limitations under the License.
 <p>Unpack and follow <a href="../manual/interpreterinstallation.html">install
additional interpreters</a> to install interpreters. If you&#39;re unsure, just
run <code>./bin/install-interpreter.sh --all</code> and install all interpreters.</p></li>
 </ul>
 
-<h2>Starting Apache Zeppelin from the Command Line</h2>
+<h2>Starting Apache Zeppelin</h2>
 
-<h4>Starting Apache Zeppelin</h4>
+<h4>Starting Apache Zeppelin from the Command Line</h4>
 
 <p>On all unix like platforms:</p>
 <div class="highlight"><pre><code class="text language-text" data-lang="text">bin/zeppelin-daemon.sh
start
@@ -258,6 +258,40 @@ limitations under the License.
 <h4>Stopping Zeppelin</h4>
 <div class="highlight"><pre><code class="text language-text" data-lang="text">bin/zeppelin-daemon.sh
stop
 </code></pre></div>
+<h4>Start Apache Zeppelin with a service manager</h4>
+
+<blockquote>
+<p><strong>Note :</strong> The below description was written based on Ubuntu
Linux.</p>
+</blockquote>
+
+<p>Apache Zeppelin can be auto-started as a service with an init script, using a service
manager like <strong>upstart</strong>.</p>
+
+<p>This is an example upstart script saved as <code>/etc/init/zeppelin.conf</code>
+This allows the service to be managed with commands such as</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">sudo
service zeppelin start  
+sudo service zeppelin stop  
+sudo service zeppelin restart
+</code></pre></div>
+<p>Other service managers could use a similar approach with the <code>upstart</code>
argument passed to the <code>zeppelin-daemon.sh</code> script.</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">bin/zeppelin-daemon.sh
upstart
+</code></pre></div>
+<p><strong>zeppelin.conf</strong></p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">description
&quot;zeppelin&quot;
+
+start on (local-filesystems and net-device-up IFACE!=lo)
+stop on shutdown
+
+# Respawn the process on unexpected termination
+respawn
+
+# respawn the job up to 7 times within a 5 second period.
+# If the job exceeds these values, it will be stopped and marked as failed.
+respawn limit 7 5
+
+# zeppelin was installed in /usr/share/zeppelin in this example
+chdir /usr/share/zeppelin
+exec bin/zeppelin-daemon.sh upstart
+</code></pre></div>
 <h2>Next Steps</h2>
 
 <p>Congratulations, you have successfully installed Apache Zeppelin! Here are few steps
you might find useful:</p>
@@ -304,6 +338,10 @@ limitations under the License.
 <li>If you&#39;re using previous version please see <a href="./upgrade.html">Upgrade
Zeppelin version</a>.</li>
 </ul>
 
+<h2>Building Apache Zeppelin from Source</h2>
+
+<p>If you want to build from source instead of using binary package, follow the instructions
<a href="./build.html">here</a>.</p>
+
 <h2>Apache Zeppelin Configuration</h2>
 
 <p>You can configure Apache Zeppelin with either <strong>environment variables</strong>
in <code>conf/zeppelin-env.sh</code> (<code>conf\zeppelin-env.cmd</code>
for Windows) or <strong>Java properties</strong> in <code>conf/zeppelin-site.xml</code>.
If both are defined, then the <strong>environment variables</strong> will take
priority.</p>
@@ -533,43 +571,117 @@ limitations under the License.
   </tr>
 </table>
 
-<h4>Start Apache Zeppelin with a service manager</h4>
+<h2>Apache Zeppelin Configuration to enable SSL</h2>
 
-<blockquote>
-<p><strong>Note :</strong> The below description was written based on Ubuntu
Linux.</p>
-</blockquote>
+<p>Enabling SSL requires a few configuration changes. First you need to create certificates
and then update necessary configurations to enable server side SSL and/or client side certificate
authentication.</p>
 
-<p>Apache Zeppelin can be auto-started as a service with an init script, using a service
manager like <strong>upstart</strong>.</p>
+<h4>Creating and configuring the Certificates</h4>
 
-<p>This is an example upstart script saved as <code>/etc/init/zeppelin.conf</code>
-This allows the service to be managed with commands such as</p>
-<div class="highlight"><pre><code class="text language-text" data-lang="text">sudo
service zeppelin start  
-sudo service zeppelin stop  
-sudo service zeppelin restart
+<p>Information how about to generate certificates and a keystore can be found <a
href="https://wiki.eclipse.org/Jetty/Howto/Configure_SSL">here</a>.</p>
+
+<p>A condensed example can be found in the top answer to this <a href="http://stackoverflow.com/questions/4008837/configure-ssl-on-jetty">StackOverflow
post</a>.</p>
+
+<p>The keystore holds the private key and certificate on the server end. The trustore
holds the trusted client certificates. Be sure that the path and password for these two stores
are correctly configured in the password fields below. They can be obfuscated using the Jetty
password tool. After Maven pulls in all the dependency to build Zeppelin, one of the Jetty
jars contain the Password tool. Invoke this command from the Zeppelin home build directory
with the appropriate version, user, and password.</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">java
-cp ./zeppelin-server/target/lib/jetty-all-server-&lt;version&gt;.jar org.eclipse.jetty.util.security.Password
&lt;user&gt; &lt;password&gt;
 </code></pre></div>
-<p>Other service managers could use a similar approach with the <code>upstart</code>
argument passed to the <code>zeppelin-daemon.sh</code> script.</p>
-<div class="highlight"><pre><code class="text language-text" data-lang="text">bin/zeppelin-daemon.sh
upstart
+<p>If you are using a self-signed, a certificate signed by an untrusted CA, or if client
authentication is enabled, then the client must have a browser create exceptions for both
the normal HTTPS port and WebSocket port. This can by done by trying to establish an HTTPS
connection to both ports in a browser (i.e. if the ports are 443 and 8443, then visit https://127.0.0.1:443
and https://127.0.0.1:8443). This step can be skipped if the server certificate is signed
by a trusted CA and client auth is disabled.</p>
+
+<h4>Configuring server side SSL</h4>
+
+<p>The following properties needs to be updated in the <strong>zeppeling-site.xml</strong>
in order to enable server side SSL.</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">&lt;property&gt;
+  &lt;name&gt;zeppelin.server.ssl.port&lt;/name&gt;
+  &lt;value&gt;8443&lt;/value&gt;
+  &lt;description&gt;Server ssl port. (used when ssl property is set to true)&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl&lt;/name&gt;
+  &lt;value&gt;true&lt;/value&gt;
+  &lt;description&gt;Should SSL be used by the servers?&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.keystore.path&lt;/name&gt;
+  &lt;value&gt;keystore&lt;/value&gt;
+  &lt;description&gt;Path to keystore relative to Zeppelin configuration directory&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.keystore.type&lt;/name&gt;
+  &lt;value&gt;JKS&lt;/value&gt;
+  &lt;description&gt;The format of the given keystore (e.g. JKS or PKCS12)&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.keystore.password&lt;/name&gt;
+  &lt;value&gt;change me&lt;/value&gt;
+  &lt;description&gt;Keystore password. Can be obfuscated by the Jetty Password tool&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.key.manager.password&lt;/name&gt;
+  &lt;value&gt;change me&lt;/value&gt;
+  &lt;description&gt;Key Manager password. Defaults to keystore password. Can be
obfuscated.&lt;/description&gt;
+&lt;/property&gt;
 </code></pre></div>
-<p><strong>zeppelin.conf</strong></p>
-<div class="highlight"><pre><code class="text language-text" data-lang="text">description
&quot;zeppelin&quot;
+<h4>Enabling client side certificate authentication</h4>
 
-start on (local-filesystems and net-device-up IFACE!=lo)
-stop on shutdown
+<p>The following properties needs to be updated in the <strong>zeppeling-site.xml</strong>
in order to enable client side certificate authentication.</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">&lt;property&gt;
+  &lt;name&gt;zeppelin.server.ssl.port&lt;/name&gt;
+  &lt;value&gt;8443&lt;/value&gt;
+  &lt;description&gt;Server ssl port. (used when ssl property is set to true)&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.client.auth&lt;/name&gt;
+  &lt;value&gt;true&lt;/value&gt;
+  &lt;description&gt;Should client authentication be used for SSL connections?&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.truststore.path&lt;/name&gt;
+  &lt;value&gt;truststore&lt;/value&gt;
+  &lt;description&gt;Path to truststore relative to Zeppelin configuration directory.
Defaults to the keystore path&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.truststore.type&lt;/name&gt;
+  &lt;value&gt;JKS&lt;/value&gt;
+  &lt;description&gt;The format of the given truststore (e.g. JKS or PKCS12). Defaults
to the same type as the keystore type&lt;/description&gt;
+&lt;/property&gt;
+
+&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.truststore.password&lt;/name&gt;
+  &lt;value&gt;change me&lt;/value&gt;
+  &lt;description&gt;Truststore password. Can be obfuscated by the Jetty Password
tool. Defaults to the keystore password&lt;/description&gt;
+&lt;/property&gt;
+</code></pre></div>
+<h4>Obfuscating Passwords using the Jetty Password Tool</h4>
 
-# Respawn the process on unexpected termination
-respawn
+<p>Security best practices advise to not use plain text passwords and Jetty provides
a password tool to help obfuscating the passwords used to access the KeyStore and TrustStore.</p>
 
-# respawn the job up to 7 times within a 5 second period.
-# If the job exceeds these values, it will be stopped and marked as failed.
-respawn limit 7 5
+<p>The Password tool documentation can be found <a href="http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html">here</a></p>
 
-# zeppelin was installed in /usr/share/zeppelin in this example
-chdir /usr/share/zeppelin
-exec bin/zeppelin-daemon.sh upstart
-</code></pre></div>
-<h2>Building from Source</h2>
+<p>After using the tool:</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">java
-cp $ZEPPELIN_HOME/zeppelin-server/target/lib/jetty-util-9.2.15.v20160210.jar \
+         org.eclipse.jetty.util.security.Password  \
+         password
 
-<p>If you want to build from source instead of using binary package, follow the instructions
<a href="./build.html">here</a>.</p>
+2016-12-15 10:46:47.931:INFO::main: Logging initialized @101ms
+password
+OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
+MD5:5f4dcc3b5aa765d61d8327deb882cf99
+</code></pre></div>
+<p>update your configuration with the obfuscated password :</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text">&lt;property&gt;
+  &lt;name&gt;zeppelin.ssl.keystore.password&lt;/name&gt;
+  &lt;value&gt;OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v&lt;/value&gt;
+  &lt;description&gt;Keystore password. Can be obfuscated by the Jetty Password tool&lt;/description&gt;
+&lt;/property&gt;
+</code></pre></div>
+<p><strong>Note:</strong> After updating these configurations, Zeppelin
server needs to be restarted.</p>
 
   </div>
 </div>



Mime
View raw message