Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Cloudera Employee

After defining cluster roles for the users and groups, LogSearch UI is not accessible with login failure message for individual users and groups.

Below was the error in logs -

logsearch-audit.json

{"level":"WARN","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-13","line_number":124,"log_message":"{\"principal\":\"sysair\",\"result\":\"denied\",\"reason\":\"Wrong password\",\"remote_ip\":\"192.168.0.201\",\"session\":\"1a52ertsmv7l31qpo3gl3hdsyt\",\"auth_class\":\"org.springframework.security.authentication.UsernamePasswordAuthenticationToken\",\"user\":\"sysair\"}","logger_name":"org.apache.ambari.logsearch.audit","logtime":"1483536859578"}

logsearch.json

{"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":66,"log_message":"Authenticating user:sysair, userDetail\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken@b48163fb: Principal: sysair; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 192.168.0.201; SessionId: b5kjfqmlkindi15hrchp9v9r; Not granted any authorities","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"}
{"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":74,"log_message":"authentication.class\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"}
{"level":"ERROR","file":"LogsearchFileAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":81,"log_message":"Wrong password for user\u003dsysair","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchFileAuthenticationProvider","logtime":"1483536571357"}

By default AMBARI.ADMINISTRATOR (logsearch.roles.allowed) role is used for LogSearch users (with external ambari server authentication).

Workaround - Add following attribute and comma separated values in logsearch configuration under custom logsearch.properties

Attribute: logsearch.roles.allowed

Possible Values: CLUSTER.ADMINISTRATOR, CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR, SERVICE.OPERATOR, CLUSTER.USER

1,813 Views
0 Kudos
Comments
avatar
Expert Contributor

Tried to configure external auth for logsearch, but still receive the same error as you specified.

I added needed values to logsearch.properties:

# Custom properties
logsearch.auth.external_auth.enabled=true
logsearch.auth.external_auth.host_url=https://my-auth-node.com:8443
logsearch.roles.allowed=CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR,SERVICE.ADMINISTRATOR,SERVICE.OPERATOR,CLUSTER.USER,AMBARI.ADMINISTRATOR

I can successfully login with local ambari user.