Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

[HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

[HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

Labels:
JoaoBarreto
Explorer

Created ‎10-26-2018 07:25 AM

Hello my dear gods of the Big Data!

 

I'm having the following problems:

 

Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?

 

Problem #2 - LDAP configuration. Hue isn't using my filters!?

 

LDAP Configuration:

 

Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

[desktop]
[[ldap]]
sync_groups_on_login=true
debug_level=255
trace_level=9

 

Authentication Backend (LdapBackend ldap_url) - ldap://stuff1.stuff2.stuff3:389

LDAP Username Pattern (ldap_username_pattern) - empty

Use Search Bind Authentication (search_bind_authentication) - True

Create LDAP users on login (create_users_on_login) - True

LDAP Search Base (base_dn) - dc=stuff1,dc=stuff2,dc=stuff3
LDAP Bind User Distinguished Name (bind_dn) - CN=user,OU=stuff4,DC=stuff1,DC=stuff2,DC=stuff3
LDAP Bind Password (bind_password) - •••••••••••••••••••••
LDAP User Filter (user_filter) - empty
LDAP Username Attribute (user_name_attr) - sAMAccountName
LDAP Group Filter (group_filter) - (&(objectClass=group)(cn=GBGDATA*))
LDAP Group Name Attribute (group_name_attr) - cn
LDAP Group Membership Attribute (group_member_attr) - member
 
The idea behind this configuration is to filter all accesses to users that belong to all groups which start with "GBGDATA". 

In access.log, debug shows this:
[26/Oct/2018 14:57:52 +0100] DEBUG search_s('dc=stuff1,dc=stuff2,dc=stuff3', 2, '(&(sAMAccountName=%(user)s)(objectclass=*))') returned 1 objects: cn=myuser,ou=stuff5,dc=stuff1,dc=stuff2,dc=stuff3
[26/Oct/2018 14:57:52 +0100] DEBUG Populating Django user myuser
[26/Oct/2018 14:57:53 +0100] WARNING 123.123.123.123 myuser - "POST /hue/accounts/login HTTP/1.1"-- Successful login for user: myuser
Why in the hell HUE is using:
(&(sAMAccountName=%(user)s)(objectclass=*))

Instead of what I've set above???

 

Thanks everyone!

Reply
1,228 Views
0 Kudos
1
4 REPLIES 4

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

JoaoBarreto
Explorer

Created ‎10-30-2018 06:27 AM

We manage to find a... sort of... solution... I think... at least... it seems to be working.

 

Changed:

LDAP User Filter (user_filter) from empty to 

(|(memberOf=CN=GBGDATA1,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3) (memberOf=CN=GBGDATA2,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3)(memberOf=CN=GBGDATA3,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3))

 
LDAP Group Filter (group_filter) from (&(objectClass=group)(cn=GBGDATA*)) to (objectClass=group)
 
 
Is there anyway of doing this but with a wildcard *? Like GBGDATA*?
 
If we need to put more groups... this is going to become a huge pain in the a...
Reply
1,123 Views
0 Kudos

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

Timothy
Explorer

Created on ‎01-17-2019 07:22 AM - edited ‎01-17-2019 07:22 AM

@JoaoBarreto

 

Did you find an answer to "Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?"

 

We are facing the same issue now 

Reply
767 Views
0 Kudos

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

bgooley
Super Guru

Created ‎01-17-2019 10:22 AM

Hi @Timothy,

 

The issue with superusers is a bug resolved in this upstream Jira:

 

https://issues.cloudera.org/browse/HUE-8675

 

There is no CDH release with the fix at this time but it is slated for CDH 6.1.1 (targeted for release in February)

If you need the fix sooner, you could try applying the changes to your code based on the upstream fix.

Reply
756 Views
Highlighted

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

Timothy
Explorer

Created ‎01-17-2019 10:51 AM

@JoaoBarreto   Based on our research it looks like the fix for all users being super users is in the https://github.com/cloudera/hue/commit/5fa75c3176b2065709021284803aa61e9e72f0a5#diff-ce4495f7505de11... but hasn't been merged to master.I see a lot of bugs in the newer versions. We have got several issues with the new hue version which we didnt have before. For example tls doesn't seem to work anymore and it has to be LDAPS.Our EMR is due for upgrades and all these issues are delaying the progress.

Reply
753 Views
0 Kudos
Don't have an account?
Register
Coming from Hortonworks? Activate your account here