Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to configure Superset to use LDAP?

avatar
author-rank fernando_lopez
Expert Contributor

Created on ‎02-07-2019 08:18 PM - edited ‎09-16-2022 08:51 AM

We need to configure Superset, running within HDP 3.1, to use existing LDAP.

We could not find any proper documentation on how to do this. Are there any defined steps?

Thanks in advance.

21,527 Views
0 Kudos
0
9 REPLIES 9

avatar
author-rank zoujingyong52
Contributor

Created ‎05-23-2019 01:16 PM

I also need it.


AUTH_TYPE = AUTH_LDAP 
AUTH_USER_REGISTRATION = True 
AUTH_LDAP_SERVER = "ldap://XXX"
AUTH_LDAP_SEARCH="dc=XXX,dc=com"
AUTH_LDAP_APPEND_DOMAIN = "XXX.com"
AUTH_LDAP_UID_FIELD="userPrincipalName"
AUTH_LDAP_FIRSTNAME_FIELD="givenName"
AUTH_LDAP_LASTTNAME_FIELD="sn"
AUTH_LDAP_USE_TLS = False
21,034 Views
0 Kudos

avatar
ask_bill_brooks author-rank
Moderator

Created ‎05-24-2019 03:34 AM

The above question and the reply thread below was originally posted in the Community Help Track. On Fri May 24 03:20 UTC 2019, a member of the HCC moderation staff moved it to the Security track. The Community Help Track is intended for questions about using the HCC site itself.

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
21,034 Views
0 Kudos

avatar
author-rank lvazquez
Expert Contributor

Created ‎05-24-2019 02:55 PM

@jingyong zou you should not use AUTH_LDAP_APPEND_DOMAIN unless your users are authenticating using the fully qualified principal name as in "username@mydomain.com" instead of simply "username". If you use uid or samAccountName as AUTH_LDAP_UID_FIELD (as is the case with OpenLDAP, IPA or AD) then this is not needed,

Also check the values for the parameters AUTH_USER_REGISTRATION=True and AUTH_USER_REGISTRATION_ROLE which should be set to a valid role in Superset (Public, Gamma, Alpha o Admin).

Another not very documented parameter which may be important depending on your LDAP setup is AUTH_LDAP_USERNAME_FORMAT, check this also.

With the previous advises in mind, check carefully the following documentation articles and you may be able to find your appropiate options combination to make LDAP work with Superset:

A tcpdump capture in your Superset server + wireshark analysis may be also of much help to debug what is your current Superset config sending to the LDAP server. In my case this was the "final step" to fit all the pieces.

21,034 Views
0 Kudos

avatar
author-rank zoujingyong52
Contributor

Created on ‎05-28-2019 05:48 AM - edited ‎08-17-2019 02:40 PM

HDP3.1 + Superset 0.23.0 ,I don't know how to configure it

108975-1559022484776.png

21,034 Views
0 Kudos

avatar
author-rank zoujingyong52
Contributor

Created ‎05-28-2019 05:49 AM

Have you made any progress on this?

21,034 Views
0 Kudos

avatar
author-rank jeff_watson
Rising Star

Created ‎11-14-2019 02:34 PM

Ditto on the need.  I filled in all the fields in Ambari (in a Kerberized cluster) and no luck.  Is there supposed to be any logging somewhere other than /var/log/superset/superset.log to show either issues or attempts to login?

20,540 Views
0 Kudos

avatar
author-rank Scharan author-rank
Master Collaborator

Created ‎11-14-2019 09:56 PM

@jeff_watson 

To enable debug on superset logs, follow below steps

  1. Stop Superset from Ambari

  2. Add this line at the end of /usr/hdp/current/superset/lib/python3.4/site-packages/superset/__init.py

 

logging.getLogger('flask_appbuilder').setLevel(logging.DEBUG)

 

3. Then Start superset manually using following command 

 

source /usr/hdp/current/superset/conf/superset-env.sh ; /usr/hdp/current/superset/bin/python3.4 /usr/hdp/current/superset/bin/gunicorn --log-level debug -b `hostname`:9088 superset:app

 

 

20,520 Views
0 Kudos

avatar
author-rank jeff_watson
Rising Star

Created ‎02-27-2020 07:45 AM

Turning on debug mode showed a little bit of additional information and eventually got me to look at the code and added a few debug lines of my own to /usr/hdp/current/superset/lib/python3.6/site-packages/flask_appbuilder/security/manager.py in _search_ldap to show the filter_str and username being passed to the LDAP search. I saw the filter_str was set to userPrinicipalName=jeff.watson@our.domain, so I got rid of the @our.domain adding AUTH_LDAP_APPEND_DOMAIN, but that still didn't work.  I finally remembered that Ranger used sSAMAcountName as an AD search name,so I changed add AUTH_LDAP_UID_FIELD as sAMAccountName and poof, LDAP logins work.  Note:  Ambari settings aren't saved where the command line version can find them until I saved and restarted superset in Ambari, then stopped it again so I could run it interactively to see the debug logging. 

 

I'm busy and lazy, so I didn't start removing other settings to see what I needed or didn't need, so here are the settings that worked for me.  Our cluster is Kerberized and uses self signed certificates.

 

AUTH_LDAP_UID_FIELD=sAMAccountName

 

AUTH_LDAP_BIND_USER=CN=Bind,OU=Admin,dc=our,dc=domain

AUTH_LDAP_SEARCH=OU=Employees,dc=our,dc=domain

AUTH_LDAP_SERVER=ldap://our.domain

AUTH_LDAP=AUTH_LDAP

AUTH_LDAP_ALLOW_SELF_SIGNED=True

AUTH_LDAP_APPEND_DOMAIN=False

AUTH_LDAP_FIRSTNAME_FIELD=givenName

AUTH_LDAP_LASTNAME_FIELD=sn

AUTH_LDAP_USE_TLS=False

AUTH_USER_REGISTRATION=True

ENABLE_KERBEROS_AUTHENTICATION=True

KERBEROS_KEYTAB=/etc/security/keytabs/superset.headless.keytab

KERBEROS_PRINCIPAL=superset-sdrdev@OUR.DOMAIN

19,760 Views
0 Kudos

avatar
author-rank rohipawa
New Contributor

Created ‎11-16-2022 01:24 AM

How would you check logs related to ldap , In mine all docker-container like superset_app , superset-worker showing no error, but i can't be able to log from normal user either or ldap one
My configured things


from flask_appbuilder.security.manager import AUTH_LDAP

AUTH_TYPE = AUTH_LDAP 
AUTH_USER_REGISTRATION = True 
AUTH_LDAP_SERVER = "ldap://localhost:389"
# AUTH_LDAP_SEARCH="ou=people,dc=superset,dc=com"
AUTH_LDAP_SEARCH= "cn=admin,dc=ramhlocal,dc=com"
# AUTH_LDAP_APPEND_DOMAIN = "XXX.com"
AUTH_LDAP_UID_FIELD="cn"
AUTH_LDAP_FIRSTNAME_FIELD= "Rohit"
AUTH_LDAP_LASTTNAME_FIELD= "sn"
AUTH_LDAP_USE_TLS = False

# AUTH_LDAP_UID_FIELD=sAMAccountName
# AUTH_LDAP_BIND_USER=CN=Bind,OU=Admin,dc=our,dc=domain

AUTH_LDAP_ALLOW_SELF_SIGNED= True
AUTH_LDAP_APPEND_DOMAIN= False
9,574 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements