question Re: HUE SAML error after upgrade to CDP 7.1.6 in Support Questions

HUE SAML error after upgrade to CDP 7.1.6

ebeb — Wed, 26 May 2021 23:27:47 GMT

Hello,

After we upgraded from CDH 5.15 to CDP 7.1.6 runtime. The HUE SAML login got broken. It gives an error below. Any ideas?

ValueError at /saml2/login/
Could not deserialize key data.
Request Method: GET
Request URL: http://xxxxx.com:8889/saml2/login/?next=/
Django Version: 1.11.29
Exception Type: ValueError
Exception Value:
Could not deserialize key data.
Exception Location: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/lib/python2.7/site-packages/cryptography-2.9-py2.7-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py in _handle_key_loading_error, line 1382
Python Executable: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/bin/python2.7
Python Version: 2.7.5
Python Path:
['/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/desktop/libs/libsaml/attribute-maps',

Re: HUE SAML error after upgrade to CDP 7.1.6

ebeb — Thu, 27 May 2021 17:28:08 GMT

Some more progress:
It appears CDP 7.1.6 we need to create the unencrypted dummy key file as below.
To create an unencrypted private key file from an encrypted key we have to run:
openssl rsa -in ssl_certificate.key -out ssl_certificate-nocrypt.key
The output file (ssl_certificate-nocrypt.key) is an unencrypted PEM-formatted key that is used for the parameter key_file=/opt/cloudera/security/saml/ssl_certificate-nocrypt.key

Now this error is gone: Could not deserialize key data.
But we are getting different error below:

AttributeError at /saml2/acs/
'NoneType' object has no attribute 'strip'
Request Method: POST
Request URL: http://xxxx.com:8889/saml2/acs/
Django Version: 1.11.29
Exception Type: AttributeError
Exception Value:
'NoneType' object has no attribute 'strip'
Exception Location: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.9.0-py2.7.egg/saml2/response.py in for_me, line 212
Python Executable: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/bin/python2.7
Python Version: 2.7.5
Python Path:
['/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/desktop/libs/libsaml/attribute-maps',

-------------------------------------------------
Below is the python code in line 212 which errors out:

202 def for_me(conditions, myself):
203 """ Am I among the intended audiences """
204
205 if not conditions.audience_restriction: # No audience restriction
206 return True
207
208 for restriction in conditions.audience_restriction:
209 if not restriction.audience:
210 continue
211 for audience in restriction.audience:
212 if audience.text.strip() == myself:
213 return True
214 else:
215 # print("Not for me: %s != %s" % (audience.text.strip(),
216 # myself))
217 pass
218
219 return False

Re: HUE SAML error after upgrade to CDP 7.1.6

Bender — Mon, 07 Jun 2021 10:15:53 GMT

Hello @ebeb ,

please see the documentation on "Configuring SAML authentication on managed clusters". Please let us know if following the steps there resolved your issue!

Kind regards:

Ferenc

Re: HUE SAML error after upgrade to CDP 7.1.6

darrenrabbs — Thu, 17 Jun 2021 12:20:43 GMT

Hi Ferenc,

We are seeing a similiar issue occur in our latest deployment to AWS EMR 5.33 clusters.

Previously we had no issue with HUE same on EMR5.29 clusters. However when we attempt to use cloudera 4.9 which comes packages with this version of EMR, we are seeing similiar exceptions once we enable HUE SAML.

Please see the defect i logged for more details -

https://github.com/cloudera/hue/issues/2137

Any suggestions on how to resolve. These exceptions are all appearing in the HUE virtual environment but this looks very similiar to the original exception reported here,

appreciate any direction or help you can give as this is a blocker for us continuing with HUE at the moment,

Thanks
Darren

Re: HUE SAML error after upgrade to CDP 7.1.6

ebeb — Thu, 17 Jun 2021 14:03:14 GMT

Darren,

This got resolved with the help of Cloudera Support engineer. There were couple of issues. First the IDP and SP entity_id should be different values. Next there is a SAML property that needs to be set by the IDP which is <saml:AudienceRestriction><saml:Audience /></saml:AudienceRestriction></saml:Conditions>

After setting the Audience property to the entity_id of the SP the error went away and HUE SAML is working again.

See below error before setting Audience property:

response DEBUG conditions: <?xml version='1.0' encoding='UTF-8'?>

<saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2021-06-02T16:02:45.573Z" NotOnOrAfter="2021-06-02T17:02:45.573Z"><saml:AudienceRestriction><saml:Audience /></saml:AudienceRestriction></saml:Conditions>

[02/Jun/2021 09:02:45 -0700] client_base ERROR XML parse error: 'NoneType' object has no attribute 'strip'

[02/Jun/2021 09:02:45 -0700] middleware INFO Processing exception: 'NoneType' object has no attribute 'strip': Traceback (most recent call last):

File "/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/lib/python2.7/site-packages/Django-1.11.29-py2.7.egg/django/core/handlers/base.py", line 185, in _get_response

This looks like a breaking change from CDH 5.15 HUE saml to CDP 7.1.6 as we never set the Audience value in CDH 5.x in IDP before.

Re: HUE SAML error after upgrade to CDP 7.1.6

cjervis — Thu, 17 Jun 2021 13:57:55 GMT

I'm happy to see you resolved your issue. Please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.

Re: HUE SAML error after upgrade to CDP 7.1.6

darrenrabbs — Fri, 18 Jun 2021 16:31:03 GMT

Hi ,

Thanks for the response. It turns out my issue is slightly different. I have been able to unblock myself by creating a new pem key and cert file using openssl.

Thanks for you help, please don't keep the issue open on my part,

Best regards
Darren