Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Cloudera Employee

After defining cluster roles for the users and groups, LogSearch UI is not accessible with login failure message for individual users and groups.

Below was the error in logs -

logsearch-audit.json

{"level":"WARN","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-13","line_number":124,"log_message":"{\"principal\":\"sysair\",\"result\":\"denied\",\"reason\":\"Wrong password\",\"remote_ip\":\"192.168.0.201\",\"session\":\"1a52ertsmv7l31qpo3gl3hdsyt\",\"auth_class\":\"org.springframework.security.authentication.UsernamePasswordAuthenticationToken\",\"user\":\"sysair\"}","logger_name":"org.apache.ambari.logsearch.audit","logtime":"1483536859578"}

logsearch.json

{"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":66,"log_message":"Authenticating user:sysair, userDetail\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken@b48163fb: Principal: sysair; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 192.168.0.201; SessionId: b5kjfqmlkindi15hrchp9v9r; Not granted any authorities","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"}
{"level":"INFO","file":"LogsearchAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":74,"log_message":"authentication.class\u003dorg.springframework.security.authentication.UsernamePasswordAuthenticationToken","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider","logtime":"1483536571357"}
{"level":"ERROR","file":"LogsearchFileAuthenticationProvider.java","thread_name":"qtp1464642111-14","line_number":81,"log_message":"Wrong password for user\u003dsysair","logger_name":"org.apache.ambari.logsearch.web.security.LogsearchFileAuthenticationProvider","logtime":"1483536571357"}

By default AMBARI.ADMINISTRATOR (logsearch.roles.allowed) role is used for LogSearch users (with external ambari server authentication).

Workaround - Add following attribute and comma separated values in logsearch configuration under custom logsearch.properties

Attribute: logsearch.roles.allowed

Possible Values: CLUSTER.ADMINISTRATOR, CLUSTER.OPERATOR, SERVICE.ADMINISTRATOR, SERVICE.OPERATOR, CLUSTER.USER

848 Views
0 Kudos
Comments
Expert Contributor

Tried to configure external auth for logsearch, but still receive the same error as you specified.

I added needed values to logsearch.properties:

# Custom properties
logsearch.auth.external_auth.enabled=true
logsearch.auth.external_auth.host_url=https://my-auth-node.com:8443
logsearch.roles.allowed=CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR,SERVICE.ADMINISTRATOR,SERVICE.OPERATOR,CLUSTER.USER,AMBARI.ADMINISTRATOR

I can successfully login with local ambari user.

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎01-05-2017 02:41 PM
Updated by:
 
Contributors
Top Kudoed Authors