Support Questions

ebeb · ‎05-26-2021

Hello,

After we upgraded from CDH 5.15 to CDP 7.1.6 runtime. The HUE SAML login got broken. It gives an error below. Any ideas?

ValueError at /saml2/login/
Could not deserialize key data.
Request Method: GET
Request URL: http://xxxxx.com:8889/saml2/login/?next=/
Django Version: 1.11.29
Exception Type: ValueError
Exception Value:
Could not deserialize key data.
Exception Location: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/lib/python2.7/site-packages/cryptography-2.9-py2.7-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py in _handle_key_loading_error, line 1382
Python Executable: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/bin/python2.7
Python Version: 2.7.5
Python Path:
['/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/desktop/libs/libsaml/attribute-maps',

ebeb · ‎06-17-2021

Darren,

This got resolved with the help of Cloudera Support engineer. There were couple of issues. First the IDP and SP entity_id should be different values. Next there is a SAML property that needs to be set by the IDP which is <saml:AudienceRestriction><saml:Audience /></saml:AudienceRestriction></saml:Conditions>

After setting the Audience property to the entity_id of the SP the error went away and HUE SAML is working again.

See below error before setting Audience property:

response DEBUG conditions: <?xml version='1.0' encoding='UTF-8'?>

<saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2021-06-02T16:02:45.573Z" NotOnOrAfter="2021-06-02T17:02:45.573Z"><saml:AudienceRestriction><saml:Audience /></saml:AudienceRestriction></saml:Conditions>

[02/Jun/2021 09:02:45 -0700] client_base ERROR XML parse error: 'NoneType' object has no attribute 'strip'

[02/Jun/2021 09:02:45 -0700] middleware INFO Processing exception: 'NoneType' object has no attribute 'strip': Traceback (most recent call last):

File "/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/lib/python2.7/site-packages/Django-1.11.29-py2.7.egg/django/core/handlers/base.py", line 185, in _get_response

This looks like a breaking change from CDH 5.15 HUE saml to CDP 7.1.6 as we never set the Audience value in CDH 5.x in IDP before.

View solution in original post

ebeb · ‎05-27-2021

Some more progress:
It appears CDP 7.1.6 we need to create the unencrypted dummy key file as below.
To create an unencrypted private key file from an encrypted key we have to run:
openssl rsa -in ssl_certificate.key -out ssl_certificate-nocrypt.key
The output file (ssl_certificate-nocrypt.key) is an unencrypted PEM-formatted key that is used for the parameter key_file=/opt/cloudera/security/saml/ssl_certificate-nocrypt.key

Now this error is gone: Could not deserialize key data.
But we are getting different error below:

AttributeError at /saml2/acs/
'NoneType' object has no attribute 'strip'
Request Method: POST
Request URL: http://xxxx.com:8889/saml2/acs/
Django Version: 1.11.29
Exception Type: AttributeError
Exception Value:
'NoneType' object has no attribute 'strip'
Exception Location: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.9.0-py2.7.egg/saml2/response.py in for_me, line 212
Python Executable: /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/bin/python2.7
Python Version: 2.7.5
Python Path:
['/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/desktop/libs/libsaml/attribute-maps',

-------------------------------------------------
Below is the python code in line 212 which errors out:

202 def for_me(conditions, myself):
203 """ Am I among the intended audiences """
204
205 if not conditions.audience_restriction: # No audience restriction
206 return True
207
208 for restriction in conditions.audience_restriction:
209 if not restriction.audience:
210 continue
211 for audience in restriction.audience:
212 if audience.text.strip() == myself:
213 return True
214 else:
215 # print("Not for me: %s != %s" % (audience.text.strip(),
216 # myself))
217 pass
218
219 return False

Bender · ‎06-07-2021

Hello @ebeb ,

please see the documentation on "Configuring SAML authentication on managed clusters". Please let us know if following the steps there resolved your issue!

Kind regards:

Ferenc

Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

darrenrabbs · ‎06-17-2021

Hi Ferenc,

We are seeing a similiar issue occur in our latest deployment to AWS EMR 5.33 clusters.

Previously we had no issue with HUE same on EMR5.29 clusters. However when we attempt to use cloudera 4.9 which comes packages with this version of EMR, we are seeing similiar exceptions once we enable HUE SAML.

Please see the defect i logged for more details -

https://github.com/cloudera/hue/issues/2137

Any suggestions on how to resolve. These exceptions are all appearing in the HUE virtual environment but this looks very similiar to the original exception reported here,

appreciate any direction or help you can give as this is a blocker for us continuing with HUE at the moment,

Thanks
Darren

ebeb · ‎06-17-2021

Darren,

This got resolved with the help of Cloudera Support engineer. There were couple of issues. First the IDP and SP entity_id should be different values. Next there is a SAML property that needs to be set by the IDP which is <saml:AudienceRestriction><saml:Audience /></saml:AudienceRestriction></saml:Conditions>

After setting the Audience property to the entity_id of the SP the error went away and HUE SAML is working again.

See below error before setting Audience property:

response DEBUG conditions: <?xml version='1.0' encoding='UTF-8'?>

<saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2021-06-02T16:02:45.573Z" NotOnOrAfter="2021-06-02T17:02:45.573Z"><saml:AudienceRestriction><saml:Audience /></saml:AudienceRestriction></saml:Conditions>

[02/Jun/2021 09:02:45 -0700] client_base ERROR XML parse error: 'NoneType' object has no attribute 'strip'

[02/Jun/2021 09:02:45 -0700] middleware INFO Processing exception: 'NoneType' object has no attribute 'strip': Traceback (most recent call last):

File "/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/hue/build/env/lib/python2.7/site-packages/Django-1.11.29-py2.7.egg/django/core/handlers/base.py", line 185, in _get_response

This looks like a breaking change from CDH 5.15 HUE saml to CDP 7.1.6 as we never set the Audience value in CDH 5.x in IDP before.

cjervis · ‎06-17-2021

I'm happy to see you resolved your issue. Please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.

Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

darrenrabbs · ‎06-18-2021

Hi ,

Thanks for the response. It turns out my issue is slightly different. I have been able to unblock myself by creating a new pem key and cert file using openssl.

Thanks for you help, please don't keep the issue open on my part,

Best regards
Darren

Support Questions

HUE SAML error after upgrade to CDP 7.1.6