Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Unable to map AD user/group to kylin roles ROLE ANALYST and ROLE_MODELER

Highlighted

Unable to map AD user/group to kylin roles ROLE ANALYST and ROLE_MODELER

New Contributor

Having an issue when we tried to enable Active Directory Authentication for Apache Kylin.

Apache Kylin 2.2.0 in HDP version 2.6.3 and Ambari version 2.5.1.0.

The issue is whenever an AD user tries to login through Kylin UI getting error as Bad Credentials. Kylin can communicate with AD but it fails in the role based authentication of the spring framework. As per the kylin documentation KYLIN-ADMIN-GROUP contains the admin users but they are not able to login to kylin UI.

QUESTION: How to map AD user/group to kylin roles ROLE_ANALYST and ROLE_MODELER?

Below are the configuration of kylin.properties:

kylin.security.profile=ldap

## Default roles and admin roles in LDAP, for ldap and saml

#kylin.security.acl.default-role=ROLE_ANALYST,ROLE_MODELER

kylin.security.acl.admin-role=ROLE_KYLIN-ADMIN-GROUP

kylin.security.ldap.connection-server=ldaps://example.com:636

kylin.security.ldap.connection-username=xxxxxxxx

kylin.security.ldap.connection-password=**************

kylin.security.ldap.user-search-base=DC=example,DC=com

kylin.security.ldap.user-search-pattern=(&(cn={0}))

kylin.security.ldap.user-group-search-base=OU=users,DC=example,DC=com

Logs:

2018-01-04 17:11:39,500 INFO [localhost-startStop-1] ldap.DefaultSpringSecurityContextSource:76 : URL 'ldaps://example.com:636', root DN is ''

2018-01-04 17:11:39,611 INFO [localhost-startStop-1] search.FilterBasedLdapUserSearch:96 : SearchBase not set. Searches will be performed from the root:

2018-01-04 17:11:39,613 INFO [localhost-startStop-1] userdetails.DefaultLdapAuthoritiesPopulator:171 : groupSearchBase is empty. Searches will be performed from the context source base

2018-01-04 17:11:39,777 INFO [Thread-12] measure.MeasureTypeFactory:115 : Checking custom measure types from kylin config

2018-01-04 17:11:39,779 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering COUNT_DISTINCT(hllc), class org.apache.kylin.measure.hllc.HLLCMeasureType$Factory

2018-01-04 17:11:39,797 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering COUNT_DISTINCT(bitmap), class org.apache.kylin.measure.bitmap.BitmapMeasureType$Factory

2018-01-04 17:11:39,803 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering TOP_N(topn), class org.apache.kylin.measure.topn.TopNMeasureType$Factory

2018-01-04 17:11:39,808 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering RAW(raw), class org.apache.kylin.measure.raw.RawMeasureType$Factory

2018-01-04 17:11:39,811 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering EXTENDED_COLUMN(extendedcolumn), class org.apache.kylin.measure.extendedcolumn.ExtendedColumnMeasureType$Factory

2018-01-04 17:11:39,813 INFO [Thread-12] measure.MeasureTypeFactory:144 : registering PERCENTILE(percentile), class org.apache.kylin.measure.percentile.PercentileMeasureType$Factory

2018-01-04 17:12:19,318 ERROR [http-bio-7090-exec-1] security.KylinAuthenticationProvider:122 : Failed to auth user: User1

org.springframework.security.authentication.BadCredentialsException: Bad credentials

at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:197)

at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)

at org.apache.kylin.rest.security.KylinAuthenticationProvider.authenticate(KylinAuthenticationProvider.java:94)

at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)

at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)

at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

2 REPLIES 2
Highlighted

Re: Unable to map AD user/group to kylin roles ROLE ANALYST and ROLE_MODELER

New Contributor

Hi Keerthika Murali

Kylin does not support map LDAP group to Roles, but some commerical Kylin distribution support it.

By defining kylin.security.ldap.group-search-filter=(|(objectClass=groupOfNames)(objectClass=group))

If you are interested, you could drop me a mail to liuyiming.vip#gmail.com

Highlighted

Re: Unable to map AD user/group to kylin roles ROLE ANALYST and ROLE_MODELER

New Contributor

Hi @Billy Liu,

Can you mention the commerical Kylin distribution which supports LDAP?

Noticed that the authentication worked for one AD user sample1. Below is the authentication details.

curl -u sample1:xxxxxxx -X GET http://localhost:7090/kylin/api/user/authentication

{ "userDetails": {"accountNonExpired": true, "accountNonLocked": true, "authorities": [ { "authority": "ROLE_ANALYST" }, { "authority": "ROLE_MODELER" } ], "credentialsNonExpired": true, "dn": "cn=developer1,ou=users,dc=example,dc=com", "enabled": true, "graceLoginsRemaining": 222222222, "password": null, "timeBeforeExpiration": 2222222222, "username": "sample1" } }

Don't have an account?
Coming from Hortonworks? Activate your account here