Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

LogSearch - Roles allowed property

Labels (1)
Labels:
avatar
SaiEdara author-rank
Cloudera Employee

Created on ‎01-05-2017 02:41 PM

After defining cluster roles for the users and groups, LogSearch UI is not accessible with login failure message for individual users and groups.

Below was the error in logs -

logsearch-audit.json

{"level":"WARN","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-13","line_number":124,"log_message":"{\"principal\":\"sysair\",\"result\":\"denied\",\"reason\":\"Wrong password\",\"remote_ip\":\"192.168.0.201\",\"session\":\"1a52ertsmv7l31qpo3gl3hdsyt\",\"auth_class\":\"org.springframework.security.authentication.UsernamePasswordAuthenticationToken\",\"user\":\"sysair\"}","logger_name":"org.apache.ambari.logsearch.audit","logtime":"1483536859578"}

logsearch.json

{"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":66,"log_message":"Authenticating user:sysair, userDetail\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken@b48163fb: Principal: sysair; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 192.168.0.201; SessionId: b5kjfqmlkindi15hrchp9v9r; Not granted any authorities","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"}
{"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":74,"log_message":"authentication.class\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"}
{"level":"ERROR","file":"LogsearchFileAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":81,"log_message":"Wrong password for user\u003dsysair","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchFileAuthenticationProvider","logtime":"1483536571357"}

By default AMBARI.ADMINISTRATOR (logsearch.roles.allowed) role is used for LogSearch users (with external ambari server authentication).

Workaround - Add following attribute and comma separated values in logsearch configuration under custom logsearch.properties

Attribute: logsearch.roles.allowed

Possible Values: CLUSTER.ADMINISTRATOR, CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR, SERVICE.OPERATOR, CLUSTER.USER

1,814 Views
0 Kudos
Comments

Re: LogSearch - Roles allowed property

avatar
author-rank vladislav_falfu
Expert Contributor

Created on ‎03-27-2017 10:27 AM

Tried to configure external auth for logsearch, but still receive the same error as you specified.

I added needed values to logsearch.properties:

# Custom properties
logsearch.auth.external_auth.enabled=true
logsearch.auth.external_auth.host_url=https://my-auth-node.com:8443
logsearch.roles.allowed=CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR,SERVICE.ADMINISTRATOR,SERVICE.OPERATOR,CLUSTER.USER,AMBARI.ADMINISTRATOR

I can successfully login with local ambari user.

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎01-05-2017 02:41 PM
Updated by:
Cloudera Employee
Contributors