Support Questions
Find answers, ask questions, and share your expertise

Unable to map AD user/group to kylin roles ROLE ANALYST and ROLE_MODELER

New Contributor

Having an issue when we tried to enable Active Directory Authentication for Apache Kylin.

Apache Kylin 2.2.0 in HDP version 2.6.3 and Ambari version

The issue is whenever an AD user tries to login through Kylin UI getting error as Bad Credentials. Kylin can communicate with AD but it fails in the role based authentication of the spring framework. As per the kylin documentation KYLIN-ADMIN-GROUP contains the admin users but they are not able to login to kylin UI.

QUESTION: How to map AD user/group to kylin roles ROLE_ANALYST and ROLE_MODELER?

Below are the configuration of

## Default roles and admin roles in LDAP, for ldap and saml,ROLE_MODELER**************,DC=com{0})),DC=example,DC=com


2018-01-04 17:11:39,500 INFO [localhost-startStop-1] ldap.DefaultSpringSecurityContextSource:76 : URL 'ldaps://', root DN is ''

2018-01-04 17:11:39,611 INFO [localhost-startStop-1] search.FilterBasedLdapUserSearch:96 : SearchBase not set. Searches will be performed from the root:

2018-01-04 17:11:39,613 INFO [localhost-startStop-1] userdetails.DefaultLdapAuthoritiesPopulator:171 : groupSearchBase is empty. Searches will be performed from the context source base

2018-01-04 17:11:39,777 INFO [Thread-12] measure.MeasureTypeFactory:115 : Checking custom measure types from kylin config

2018-01-04 17:11:39,779 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering COUNT_DISTINCT(hllc), class org.apache.kylin.measure.hllc.HLLCMeasureType$Factory

2018-01-04 17:11:39,797 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering COUNT_DISTINCT(bitmap), class org.apache.kylin.measure.bitmap.BitmapMeasureType$Factory

2018-01-04 17:11:39,803 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering TOP_N(topn), class org.apache.kylin.measure.topn.TopNMeasureType$Factory

2018-01-04 17:11:39,808 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering RAW(raw), class org.apache.kylin.measure.raw.RawMeasureType$Factory

2018-01-04 17:11:39,811 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering EXTENDED_COLUMN(extendedcolumn), class org.apache.kylin.measure.extendedcolumn.ExtendedColumnMeasureType$Factory

2018-01-04 17:11:39,813 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering PERCENTILE(percentile), class org.apache.kylin.measure.percentile.PercentileMeasureType$Factory

2018-01-04 17:12:19,318 ERROR [http-bio-7090-exec-1] security.KylinAuthenticationProvider:122 : Failed to auth user: User1 Bad credentials







at org.springframework.web.filter.OncePerRequestFilter.doFilter(


New Contributor

Hi Keerthika Murali

Kylin does not support map LDAP group to Roles, but some commerical Kylin distribution support it.

By defining|(objectClass=groupOfNames)(objectClass=group))

If you are interested, you could drop me a mail to

New Contributor

Hi @Billy Liu,

Can you mention the commerical Kylin distribution which supports LDAP?

Noticed that the authentication worked for one AD user sample1. Below is the authentication details.

curl -u sample1:xxxxxxx -X GET http://localhost:7090/kylin/api/user/authentication

{ "userDetails": {"accountNonExpired": true, "accountNonLocked": true, "authorities": [ { "authority": "ROLE_ANALYST" }, { "authority": "ROLE_MODELER" } ], "credentialsNonExpired": true, "dn": "cn=developer1,ou=users,dc=example,dc=com", "enabled": true, "graceLoginsRemaining": 222222222, "password": null, "timeBeforeExpiration": 2222222222, "username": "sample1" } }

; ;