Support Questions

Find answers, ask questions, and share your expertise

HDP 2.5 + Zeppelin 0.6 + LDAP : Interpreters are not shown when zeppelin is configured with LDAP

avatar
Super Collaborator

Problem is the interpreters are not visible after configuring LDAP.

Found a similar problem at https://community.hortonworks.com/questions/54516/zeppelin-interpreters-disappear-when-security-is-e... but the steps mentioned there did not solved the issue

Am i missing something ?

Below in the value for variable shiro_ini_content in zeppelin -> configs

[users]

# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = zeppelin
activeDirectoryRealm.systemPassword = test@123
activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks
activeDirectoryRealm.searchBase = cn=Users,dc=test,dc=testdomain,dc=com
activeDirectoryRealm.url = ldap://ad-nano.test.testdomain.com:389
activeDirectoryRealm.groupRolesMap = "cn=zeppelin,cn=Users,dc=test,dc=testdomain,dc=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = true

shiro.loginUrl = /api/login

[roles]
admin=*
[urls]
/api/version = anon
#/** = anon
/** = authc

I was able to successfully login but clicking on interpreters did not show anything

8012-screen-shot-2016-09-26-at-111047-pm.png

Below is the output from zeppelin log file

WARN [2016-09-26 17:37:41,581] ({qtp687241927-17} LoginRestApi.java[postLogin]:111) - {"status":"OK","message":"","body":{"principal":"zeppelin","ticket":"82b92434-fe54-496b-9d70-0d1f83afe812","roles":"[]"}}
WARN [2016-09-26 17:37:50,361] ({qtp687241927-15} ServletHandler.java[doHandle]:620) -
javax.servlet.ServletException: Filtered request failed.
 at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
 at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
 at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
 at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
 at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
 at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
 at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
 at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
 at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
 at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
 at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
 at org.eclipse.jetty.server.Server.handle(Server.java:499)
 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
 at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
 at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
 at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
 at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
 at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.AbstractMethodError: javax.ws.rs.core.Response.getStatusInfo()Ljavax/ws/rs/core/Response$StatusType;
 at javax.ws.rs.WebApplicationException.validate(WebApplicationException.java:186)
 at javax.ws.rs.ClientErrorException.<init>(ClientErrorException.java:88)
 at org.apache.cxf.jaxrs.utils.JAXRSUtils.findTargetMethod(JAXRSUtils.java:503)
 at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:207)
 at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:103)
 at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
 at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
 at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
 at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
 at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
 at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
 at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
 at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
 at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
 at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
 at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
 at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
 at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
 at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
 at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
 at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
 at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
 at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
 at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
 at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
 at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
 at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
 at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
 ... 22 more

 
1 ACCEPTED SOLUTION

avatar

@pankaj singh I documented this and have the list of interpreters working

use this tutorial: https://community.hortonworks.com/content/kbentry/65449/ow-to-setup-a-multi-user-active-directory-ba...

This is the critical section in shiro.ini:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000

Here is the excerpt of valid shiro.ini

  1. [users]
  2. # List of users with their password allowed to access Zeppelin.
  3. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
  4. #admin = password1
  5. #user1 = password2, role1, role2
  6. #user2 = password3, role3
  7. #user3 = password4, role2
  8. # Sample LDAP configuration, for user Authentication, currently tested for single Realm
  9. [main]
  10. activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
  11. #activeDirectoryRealm.systemUsername = CN=binduser,OU=ServiceUsers,DC=sampledcfield,DC=hortonworks,DC=com
  12. activeDirectoryRealm.systemUsername = binduser
  13. activeDirectoryRealm.systemPassword = xxxxxx
  14. activeDirectoryRealm.principalSuffix = @your.domain.name
  15. #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks
  16. activeDirectoryRealm.searchBase = DC=sampledcfield,DC=hortonworks,DC=com
  17. activeDirectoryRealm.url = ldaps://ad01.your.domain.name:636
  18. activeDirectoryRealm.groupRolesMap = "CN=hadoop-admins,OU=CorpUsers,DC=sampledcfield,DC=hortonworks,DC=com":"admin"
  19. activeDirectoryRealm.authorizationCachingEnabled = true
  20. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  21. cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
  22. securityManager.cacheManager = $cacheManager
  23. securityManager.sessionManager = $sessionManager
  24. securityManager.sessionManager.globalSessionTimeout = 86400000
  25. #ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
  26. #ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com
  27. #ldapRealm.contextFactory.url = ldap://ldaphost:389
  28. #ldapRealm.contextFactory.authenticationMechanism = SIMPLE
  29. #sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  30. #securityManager.sessionManager = $sessionManager
  31. # 86,400,000 milliseconds = 24 hour
  32. #securityManager.sessionManager.globalSessionTimeout = 86400000
  33. shiro.loginUrl = /api/login
  34. [roles]
  35. admin = *
  36. [urls]
  37. # anon means the access is anonymous.
  38. # authcBasic means Basic Auth Security
  39. # To enfore security, comment the line below and uncomment the next one
  40. /api/version = anon
  41. /api/interpreter/** = authc, roles[admin]
  42. /api/credential/** = authc, roles[admin]
  43. /api/configurations/** = authc, roles[admin]
  44. #/** = anon
  45. /** = authc
  46. #/** = authcBasic

View solution in original post

3 REPLIES 3

avatar

Do you have zeppelin.server.addr set to the actual IP or host of the Zeppelin server?

avatar
Super Collaborator

@slachterman thanks for the response. I tried adding the zeppelin in zeppelin.server.addr. But again the error is same

avatar

@pankaj singh I documented this and have the list of interpreters working

use this tutorial: https://community.hortonworks.com/content/kbentry/65449/ow-to-setup-a-multi-user-active-directory-ba...

This is the critical section in shiro.ini:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000

Here is the excerpt of valid shiro.ini

  1. [users]
  2. # List of users with their password allowed to access Zeppelin.
  3. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
  4. #admin = password1
  5. #user1 = password2, role1, role2
  6. #user2 = password3, role3
  7. #user3 = password4, role2
  8. # Sample LDAP configuration, for user Authentication, currently tested for single Realm
  9. [main]
  10. activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
  11. #activeDirectoryRealm.systemUsername = CN=binduser,OU=ServiceUsers,DC=sampledcfield,DC=hortonworks,DC=com
  12. activeDirectoryRealm.systemUsername = binduser
  13. activeDirectoryRealm.systemPassword = xxxxxx
  14. activeDirectoryRealm.principalSuffix = @your.domain.name
  15. #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks
  16. activeDirectoryRealm.searchBase = DC=sampledcfield,DC=hortonworks,DC=com
  17. activeDirectoryRealm.url = ldaps://ad01.your.domain.name:636
  18. activeDirectoryRealm.groupRolesMap = "CN=hadoop-admins,OU=CorpUsers,DC=sampledcfield,DC=hortonworks,DC=com":"admin"
  19. activeDirectoryRealm.authorizationCachingEnabled = true
  20. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  21. cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
  22. securityManager.cacheManager = $cacheManager
  23. securityManager.sessionManager = $sessionManager
  24. securityManager.sessionManager.globalSessionTimeout = 86400000
  25. #ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
  26. #ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com
  27. #ldapRealm.contextFactory.url = ldap://ldaphost:389
  28. #ldapRealm.contextFactory.authenticationMechanism = SIMPLE
  29. #sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
  30. #securityManager.sessionManager = $sessionManager
  31. # 86,400,000 milliseconds = 24 hour
  32. #securityManager.sessionManager.globalSessionTimeout = 86400000
  33. shiro.loginUrl = /api/login
  34. [roles]
  35. admin = *
  36. [urls]
  37. # anon means the access is anonymous.
  38. # authcBasic means Basic Auth Security
  39. # To enfore security, comment the line below and uncomment the next one
  40. /api/version = anon
  41. /api/interpreter/** = authc, roles[admin]
  42. /api/credential/** = authc, roles[admin]
  43. /api/configurations/** = authc, roles[admin]
  44. #/** = anon
  45. /** = authc
  46. #/** = authcBasic