Created on 01-05-2017 02:41 PM
After defining cluster roles for the users and groups, LogSearch UI is not accessible with login failure message for individual users and groups.
Below was the error in logs -
logsearch-audit.json
{"level":"WARN","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-13","line_number":124,"log_message":"{\"principal\":\"sysair\",\"result\":\"denied\",\"reason\":\"Wrong password\",\"remote_ip\":\"192.168.0.201\",\"session\":\"1a52ertsmv7l31qpo3gl3hdsyt\",\"auth_class\":\"org.springframework.security.authentication.UsernamePasswordAuthenticationToken\",\"user\":\"sysair\"}","logger_name":"org.apache.ambari.logsearch.audit","logtime":"1483536859578"}
logsearch.json
{"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":66,"log_message":"Authenticating user:sysair, userDetail\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken@b48163fb: Principal: sysair; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 192.168.0.201; SessionId: b5kjfqmlkindi15hrchp9v9r; Not granted any authorities","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"} {"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":74,"log_message":"authentication.class\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"} {"level":"ERROR","file":"LogsearchFileAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":81,"log_message":"Wrong password for user\u003dsysair","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchFileAuthenticationProvider","logtime":"1483536571357"}
By default AMBARI.ADMINISTRATOR (logsearch.roles.allowed) role is used for LogSearch users (with external ambari server authentication).
Workaround - Add following attribute and comma separated values in logsearch configuration under custom logsearch.properties
Attribute: logsearch.roles.allowed
Possible Values: CLUSTER.ADMINISTRATOR, CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR, SERVICE.OPERATOR, CLUSTER.USER
Created on 03-27-2017 10:27 AM
Tried to configure external auth for logsearch, but still receive the same error as you specified.
I added needed values to logsearch.properties:
# Custom properties logsearch.auth.external_auth.enabled=true logsearch.auth.external_auth.host_url=https://my-auth-node.com:8443 logsearch.roles.allowed=CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR,SERVICE.ADMINISTRATOR,SERVICE.OPERATOR,CLUSTER.USER,AMBARI.ADMINISTRATOR
I can successfully login with local ambari user.