Support Questions

JoaoBarreto · ‎10-26-2018

Hello my dear gods of the Big Data!

I'm having the following problems:

Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?

Problem #2 - LDAP configuration. Hue isn't using my filters!?

LDAP Configuration:

Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

[desktop]
[[ldap]]
sync_groups_on_login=true
debug_level=255
trace_level=9

Authentication Backend (LdapBackend ldap_url) - ldap://stuff1.stuff2.stuff3:389

LDAP Username Pattern (ldap_username_pattern) - empty

Use Search Bind Authentication (search_bind_authentication) - True

Create LDAP users on login (create_users_on_login) - True

LDAP Search Base (base_dn) - dc=stuff1,dc=stuff2,dc=stuff3

LDAP Bind User Distinguished Name (bind_dn) - CN=user,OU=stuff4,DC=stuff1,DC=stuff2,DC=stuff3

LDAP Bind Password (bind_password) - •••••••••••••••••••••

LDAP User Filter (user_filter) - empty

LDAP Username Attribute (user_name_attr) - sAMAccountName

LDAP Group Filter (group_filter) - (&(objectClass=group)(cn=GBGDATA*))

LDAP Group Name Attribute (group_name_attr) - cn

LDAP Group Membership Attribute (group_member_attr) - member

The idea behind this configuration is to filter all accesses to users that belong to all groups which start with "GBGDATA".

In access.log, debug shows this:

[26/Oct/2018 14:57:52 +0100] DEBUG search_s('dc=stuff1,dc=stuff2,dc=stuff3', 2, '(&(sAMAccountName=%(user)s)(objectclass=*))') returned 1 objects: cn=myuser,ou=stuff5,dc=stuff1,dc=stuff2,dc=stuff3
[26/Oct/2018 14:57:52 +0100] DEBUG Populating Django user myuser
[26/Oct/2018 14:57:53 +0100] WARNING 123.123.123.123 myuser - "POST /hue/accounts/login HTTP/1.1"-- Successful login for user: myuser

Why in the hell HUE is using:

(&(sAMAccountName=%(user)s)(objectclass=*))

Instead of what I've set above???

Thanks everyone!

JoaoBarreto · ‎10-30-2018

We manage to find a... sort of... solution... I think... at least... it seems to be working.

Changed:

LDAP User Filter (user_filter) from empty to

(|(memberOf=CN=GBGDATA1,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3) (memberOf=CN=GBGDATA2,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3)(memberOf=CN=GBGDATA3,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3))

LDAP Group Filter (group_filter) from (&(objectClass=group)(cn=GBGDATA*)) to (objectClass=group)

Is there anyway of doing this but with a wildcard *? Like GBGDATA*?

If we need to put more groups... this is going to become a huge pain in the a...

Timothy · ‎01-17-2019

@JoaoBarreto

Did you find an answer to "Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?"

We are facing the same issue now

bgooley · ‎01-17-2019

Hi @Timothy,

The issue with superusers is a bug resolved in this upstream Jira:

https://issues.cloudera.org/browse/HUE-8675

There is no CDH release with the fix at this time but it is slated for CDH 6.1.1 (targeted for release in February)

If you need the fix sooner, you could try applying the changes to your code based on the upstream fix.

Timothy · ‎01-17-2019

@JoaoBarreto Based on our research it looks like the fix for all users being super users is in the https://github.com/cloudera/hue/commit/5fa75c3176b2065709021284803aa61e9e72f0a5#diff-ce4495f7505de11... but hasn't been merged to master.I see a lot of bugs in the newer versions. We have got several issues with the new hue version which we didnt have before. For example tls doesn't seem to work anymore and it has to be LDAPS.Our EMR is due for upgrades and all these issues are delaying the progress.

Support Questions

[HUE CDH 6.0] All users login in as superusers and LDAP filters not working.