question Zeppelin AD users not binded to groups in Archives of Support Questions (Read Only)

Zeppelin AD users not binded to groups

frank93 — Mon, 05 Sep 2016 20:21:39 GMT

Hi,

I am using HDP 2.3.0 with Zeppelin 0.6.0. I configured LDAP/AD for users and groups. I can successfully login as AD user, but when I create role for my AD group in shiro.ini, then set permissions to the notebook only to this AD group I cannot be authorized (no roles (groups) binded to my user). Please check my configs below.

ZeppelinUser10 belongs to both AD groups - ZeppelinGroup1 and ZeppelinGroup2

shiro.ini

[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = CN=ZeppelinUser1,OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.systemPassword = mypass
activeDirectoryRealm.searchBase = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.url = ldap://myldap.com:389
activeDirectoryRealm.groupRolesMap = "CN=ZeppelinGroup1,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup1","CN=ZeppelinGroup2,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup2"
activeDirectoryRealm.authorizationCachingEnabled = true

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.url = ldap://myldap.com:389
ldapRealm.userDnTemCOMate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.authenticationMechanism = SIMPLE

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
ZeppelinGroup1 = *
ZeppelinGroup2 = *

log

ERROR [2016-09-05 15:07:02,069] ({qtp1029098726-16} LdapGroupRealm.java[getRoleNamesForUser]:89) - Error
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'OU=Users,OU=Zeppelin,DC=MYAD,DC=COM'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
        at org.apache.zeppelin.server.LdapGroupRealm.getRoleNamesForUser(LdapGroupRealm.java:67)
        at org.apache.zeppelin.server.LdapGroupRealm.queryForAuthorizationInfo(LdapGroupRealm.java:50)
        at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthorizationInfo(JndiLdapRealm.java:313)
        at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)
        at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:571)
        at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)
        at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153)
        at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224)
        at org.apache.zeppelin.utils.SecurityUtils.getRoles(SecurityUtils.java:113)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:78)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
WARN [2016-09-05 15:07:02,076] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}

Re: Zeppelin AD users not binded to groups

frank93 — Mon, 05 Sep 2016 22:07:44 GMT

and every 10 seconds I got this error in log:

ERROR [2016-09-05 17:07:16,486] ({qtp1029098726-14} NotebookServer.java[onMessage]:211) - Can't handle message
java.lang.Exception: Invalid ticket 8f240ec6-33f2-485e-a9e5-21f88b885b9f != 580fd7ff-0457-4f6b-9796-e796b928af4d
        at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:117)
        at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(NotebookSocket.java:56)
        at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
        at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.messageComplete(SimpleTextMessage.java:69)
        at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.appendMessage(AbstractEventDriver.java:65)
        at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
        at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.incomingFrame(AbstractEventDriver.java:161)
        at org.eclipse.jetty.websocket.common.WebSocketSession.incomingFrame(WebSocketSession.java:309)
        at org.eclipse.jetty.websocket.common.extensions.ExtensionStack.incomingFrame(ExtensionStack.java:214)
        at org.eclipse.jetty.websocket.common.Parser.notifyFrame(Parser.java:220)
        at org.eclipse.jetty.websocket.common.Parser.parse(Parser.java:258)
        at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.java:632)
        at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.java:480)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)

Re: Zeppelin AD users not binded to groups

prabhjyot_singh — Tue, 06 Sep 2016 14:11:40 GMT

@Edgar Daeds instead of using both activeDirectoryRealm and ldapRealm can you user one. In this case it looks like you may want to authenticate to a AD server, hence just use activeDirectoryRealm and comment out the other ldapRealm*. and then check.

Re: Zeppelin AD users not binded to groups

frank93 — Tue, 06 Sep 2016 14:20:32 GMT

@prabhjyot singh thanks for the answer but nothing happens when I commented out all ldapRealm*. I stil receive that user has no roles (does not belong to group).

WARN [2016-09-06 09:20:19,042] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}

Re: Zeppelin AD users not binded to groups

prabhjyot_singh — Tue, 06 Sep 2016 15:18:19 GMT

Could you try the same with ZeppelinUser10@`realm`, where the realm is the name that you would have used to setup AD, and if this works set this property in your shiro.ini

activeDirectoryRealm.principalSuffix = @realm

Re: Zeppelin AD users not binded to groups

frank93 — Tue, 06 Sep 2016 15:42:46 GMT

@prabhjyot singh

I can log in as user@myad.com but when I set "activeDirectoryRealm.principalSuffix = @myad.com" I cant log in ("LDAP Error 49 52e" and "LDAP naming error while attempting to retrieve authorization for user [ZeppelinUser10].")

Re: Zeppelin AD users not binded to groups

prabhjyot_singh — Tue, 06 Sep 2016 17:07:08 GMT

This error "Invalid ticket 8f240ec6-33f2-485e-a9e5-21f88b885b9f != 580fd7ff-0457-4f6b-9796-e796b928af4d" comes for various reasons, but one of the most common being a one of you browser tab is still active after zeppelin-server restart.

Re: Zeppelin AD users not binded to groups

xfox — Fri, 14 Oct 2016 23:25:12 GMT

here is my working config

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = <ldap_binding_user> (just username without @domain.com) activeDirectoryRealm.systemPassword = <ldap_binding_password> activeDirectoryRealm.searchBase = OU=GROUP,DC=DOMAIN,DC=COM activeDirectoryRealm.url = ldap://ldap.domain.com:389 activeDirectoryRealm.groupRolesMap = "CN=group,DC=domain,DC=com":"admin activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @domain.com securityManager.realms = $activeDirectoryRealm sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login

Re: Zeppelin AD users not binded to groups

keager — Wed, 15 Feb 2017 05:56:04 GMT

I've noticed that it only works if last node is CN (security group) not OU (container)

Re: Zeppelin AD users not binded to groups

apoorv2811 — Wed, 08 Mar 2017 17:56:20 GMT

We are experiencing the same issue with Zeppelin 0.7 as well. Could this be somehow related to Enterprise AD?

Can we achieve this type of authorization using LDAP authentication?

Re: Zeppelin AD users not binded to groups

apoorv2811 — Tue, 14 Mar 2017 01:07:43 GMT

@Edgar Daeds: Hi Edgar, are you able to find any solution for this issue?

Re: Zeppelin AD users not binded to groups

frank93 — Wed, 22 Mar 2017 18:06:46 GMT

@Apoorv Pathak Hi, yes it is working now. I used config posted above by Roman Glova.

Re: Zeppelin AD users not binded to groups

apoorv2811 — Thu, 23 Mar 2017 22:02:28 GMT

Hi @Edgar Daeds: Thanks for the response. But I am unable to see any comment from Roman. Could you please paste the comment again.

Re: Zeppelin AD users not binded to groups

btandel — Mon, 03 Apr 2017 14:57:34 GMT

Hey @Apoorv Pathak Its in the best answer thread, just click on show more comments

Re: Zeppelin AD users not binded to groups

StewartThomasJ1 — Tue, 25 Apr 2017 23:21:44 GMT

I cannot get my Zeppelin shiro to map my group on HDP2.6. I used a config like shown here, but I always get "roles":"[]". Are you guys using any particular attribute in Active Directory for which groups a user is part of? We use "memberOf", and in some other definitions, such as Knox Gateway we have to configure which attribute is the group list. I am curious if Zeppelin/Shiro might be hard-coding that attribute and if that is why I can't get my users mapped to groups.

Re: Zeppelin AD users not binded to groups

frank93 — Thu, 11 May 2017 17:02:41 GMT

@Tom Stewart

Did you define the group names in the [roles] section?

Re: Zeppelin AD users not binded to groups

noep — Sat, 25 Nov 2017 04:04:39 GMT

This issue is reported in jira ticket

https://issues.apache.org/jira/browse/ZEPPELIN-2810 and

https://issues.apache.org/jira/browse/ZEPPELIN-2640

and some developer sent a PR for this

https://github.com/apache/zeppelin/pull/2405

this issue will be fixed in zeppelin v0.8.0 but not released now

how about wait for next release or build it yourself?

or use ldapRealm?