Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Unable to map AD user/group to kylin roles ROLE ANALYST and ROLE_MODELER

keerthika_mural
New Contributor

Created ‎01-09-2018 11:22 AM

Having an issue when we tried to enable Active Directory Authentication for Apache Kylin.

Apache Kylin 2.2.0 in HDP version 2.6.3 and Ambari version 2.5.1.0.

The issue is whenever an AD user tries to login through Kylin UI getting error as Bad Credentials. Kylin can communicate with AD but it fails in the role based authentication of the spring framework. As per the kylin documentation KYLIN-ADMIN-GROUP contains the admin users but they are not able to login to kylin UI.

QUESTION: How to map AD user/group to kylin roles ROLE_ANALYST and ROLE_MODELER?

Below are the configuration of kylin.properties:

kylin.security.profile=ldap

## Default roles and admin roles in LDAP, for ldap and saml

#kylin.security.acl.default-role=ROLE_ANALYST,ROLE_MODELER

kylin.security.acl.admin-role=ROLE_KYLIN-ADMIN-GROUP

kylin.security.ldap.connection-server=ldaps://example.com:636

kylin.security.ldap.connection-username=xxxxxxxx

kylin.security.ldap.connection-password=**************

kylin.security.ldap.user-search-base=DC=example,DC=com

kylin.security.ldap.user-search-pattern=(&(cn={0}))

kylin.security.ldap.user-group-search-base=OU=users,DC=example,DC=com

Logs:

2018-01-04 17:11:39,500 INFO [localhost-startStop-1] ldap.DefaultSpringSecurityContextSource:76 : URL 'ldaps://example.com:636', root DN is ''

2018-01-04 17:11:39,611 INFO [localhost-startStop-1] search.FilterBasedLdapUserSearch:96 : SearchBase not set. Searches will be performed from the root:

2018-01-04 17:11:39,613 INFO [localhost-startStop-1] userdetails.DefaultLdapAuthoritiesPopulator:171 : groupSearchBase is empty. Searches will be performed from the context source base

2018-01-04 17:11:39,777 INFO [Thread-12] measure.MeasureTypeFactory:115 : Checking custom measure types from kylin config

2018-01-04 17:11:39,779 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering COUNT_DISTINCT(hllc), class org.apache.kylin.measure.hllc.HLLCMeasureType$Factory

2018-01-04 17:11:39,797 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering COUNT_DISTINCT(bitmap), class org.apache.kylin.measure.bitmap.BitmapMeasureType$Factory

2018-01-04 17:11:39,803 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering TOP_N(topn), class org.apache.kylin.measure.topn.TopNMeasureType$Factory

2018-01-04 17:11:39,808 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering RAW(raw), class org.apache.kylin.measure.raw.RawMeasureType$Factory

2018-01-04 17:11:39,811 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering EXTENDED_COLUMN(extendedcolumn), class org.apache.kylin.measure.extendedcolumn.ExtendedColumnMeasureType$Factory

2018-01-04 17:11:39,813 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering PERCENTILE(percentile), class org.apache.kylin.measure.percentile.PercentileMeasureType$Factory

2018-01-04 17:12:19,318 ERROR [http-bio-7090-exec-1] security.KylinAuthenticationProvider:122 : Failed to auth user: User1

org.springframework.security.authentication.BadCredentialsException: Bad credentials

at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:197)

at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)

at org.apache.kylin.rest.security.KylinAuthenticationProvider.authenticate(KylinAuthenticationProvider.java:94)

at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)

at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)

at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

1,317 Views
0 Kudos
2 REPLIES 2

liuyiming_vip
New Contributor

Created ‎01-10-2018 03:47 PM

Hi Keerthika Murali

Kylin does not support map LDAP group to Roles, but some commerical Kylin distribution support it.

By defining kylin.security.ldap.group-search-filter=(|(objectClass=groupOfNames)(objectClass=group))

If you are interested, you could drop me a mail to liuyiming.vip#gmail.com

863 Views
0 Kudos

keerthika_mural
New Contributor

Created ‎01-10-2018 04:21 PM

Hi @Billy Liu,

Can you mention the commerical Kylin distribution which supports LDAP?

Noticed that the authentication worked for one AD user sample1. Below is the authentication details.

curl -u sample1:xxxxxxx -X GET http://localhost:7090/kylin/api/user/authentication

{ "userDetails": {"accountNonExpired": true, "accountNonLocked": true, "authorities": [ { "authority": "ROLE_ANALYST" }, { "authority": "ROLE_MODELER" } ], "credentialsNonExpired": true, "dn": "cn=developer1,ou=users,dc=example,dc=com", "enabled": true, "graceLoginsRemaining": 222222222, "password": null, "timeBeforeExpiration": 2222222222, "username": "sample1" } }

863 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud Release Summary: June 2022
What's New @ Cloudera
Cloudera DataFlow for the Public Cloud 2.1 introduces in-place upgrades as a Technical Preview feature
What's New @ Cloudera
CDP Operational Database (COD) supports CDP Control Planes for multiple regions.
What's New @ Cloudera
CDP Operational Database (COD) supports Multiple Availability Zones (Multi-AZ) on AWS
What's New @ Cloudera
COD now supports the “Store File Tracking” (SFT) as a general availability feature.
View More Announcements
; ;