Support Questions
Find answers, ask questions, and share your expertise

Zeppelin AD users not binded to groups

Expert Contributor

Hi,

I am using HDP 2.3.0 with Zeppelin 0.6.0. I configured LDAP/AD for users and groups. I can successfully login as AD user, but when I create role for my AD group in shiro.ini, then set permissions to the notebook only to this AD group I cannot be authorized (no roles (groups) binded to my user). Please check my configs below.

ZeppelinUser10 belongs to both AD groups - ZeppelinGroup1 and ZeppelinGroup2

shiro.ini

[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = CN=ZeppelinUser1,OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.systemPassword = mypass
activeDirectoryRealm.searchBase = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.url = ldap://myldap.com:389
activeDirectoryRealm.groupRolesMap = "CN=ZeppelinGroup1,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup1","CN=ZeppelinGroup2,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup2"
activeDirectoryRealm.authorizationCachingEnabled = true

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.url = ldap://myldap.com:389
ldapRealm.userDnTemCOMate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.authenticationMechanism = SIMPLE

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
ZeppelinGroup1 = *
ZeppelinGroup2 = *

log

ERROR [2016-09-05 15:07:02,069] ({qtp1029098726-16} LdapGroupRealm.java[getRoleNamesForUser]:89) - Error
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'OU=Users,OU=Zeppelin,DC=MYAD,DC=COM'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
        at org.apache.zeppelin.server.LdapGroupRealm.getRoleNamesForUser(LdapGroupRealm.java:67)
        at org.apache.zeppelin.server.LdapGroupRealm.queryForAuthorizationInfo(LdapGroupRealm.java:50)
        at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthorizationInfo(JndiLdapRealm.java:313)
        at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)
        at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:571)
        at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)
        at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153)
        at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224)
        at org.apache.zeppelin.utils.SecurityUtils.getRoles(SecurityUtils.java:113)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:78)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
WARN [2016-09-05 15:07:02,076] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Zeppelin AD users not binded to groups

@Edgar Daeds instead of using both activeDirectoryRealm and ldapRealm can you user one. In this case it looks like you may want to authenticate to a AD server, hence just use activeDirectoryRealm and comment out the other ldapRealm*. and then check.

View solution in original post

16 REPLIES 16

Re: Zeppelin AD users not binded to groups

Expert Contributor

and every 10 seconds I got this error in log:

ERROR [2016-09-05 17:07:16,486] ({qtp1029098726-14} NotebookServer.java[onMessage]:211) - Can't handle message
java.lang.Exception: Invalid ticket 8f240ec6-33f2-485e-a9e5-21f88b885b9f != 580fd7ff-0457-4f6b-9796-e796b928af4d
        at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:117)
        at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(NotebookSocket.java:56)
        at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
        at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.messageComplete(SimpleTextMessage.java:69)
        at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.appendMessage(AbstractEventDriver.java:65)
        at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
        at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.incomingFrame(AbstractEventDriver.java:161)
        at org.eclipse.jetty.websocket.common.WebSocketSession.incomingFrame(WebSocketSession.java:309)
        at org.eclipse.jetty.websocket.common.extensions.ExtensionStack.incomingFrame(ExtensionStack.java:214)
        at org.eclipse.jetty.websocket.common.Parser.notifyFrame(Parser.java:220)
        at org.eclipse.jetty.websocket.common.Parser.parse(Parser.java:258)
        at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.java:632)
        at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.java:480)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)

Re: Zeppelin AD users not binded to groups

This error "Invalid ticket 8f240ec6-33f2-485e-a9e5-21f88b885b9f != 580fd7ff-0457-4f6b-9796-e796b928af4d" comes for various reasons, but one of the most common being a one of you browser tab is still active after zeppelin-server restart.

Re: Zeppelin AD users not binded to groups

@Edgar Daeds instead of using both activeDirectoryRealm and ldapRealm can you user one. In this case it looks like you may want to authenticate to a AD server, hence just use activeDirectoryRealm and comment out the other ldapRealm*. and then check.

View solution in original post

Re: Zeppelin AD users not binded to groups

Expert Contributor

@prabhjyot singh thanks for the answer but nothing happens when I commented out all ldapRealm*. I stil receive that user has no roles (does not belong to group).

WARN [2016-09-06 09:20:19,042] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}

Re: Zeppelin AD users not binded to groups

Could you try the same with ZeppelinUser10@`realm`, where the realm is the name that you would have used to setup AD, and if this works set this property in your shiro.ini

activeDirectoryRealm.principalSuffix = @realm

Re: Zeppelin AD users not binded to groups

Expert Contributor

@prabhjyot singh

I can log in as user@myad.com but when I set "activeDirectoryRealm.principalSuffix = @myad.com" I cant log in ("LDAP Error 49 52e" and "LDAP naming error while attempting to retrieve authorization for user [ZeppelinUser10].")

Re: Zeppelin AD users not binded to groups

Explorer

here is my working config

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = <ldap_binding_user> (just username without @domain.com) activeDirectoryRealm.systemPassword = <ldap_binding_password> activeDirectoryRealm.searchBase = OU=GROUP,DC=DOMAIN,DC=COM activeDirectoryRealm.url = ldap://ldap.domain.com:389 activeDirectoryRealm.groupRolesMap = "CN=group,DC=domain,DC=com":"admin activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @domain.com securityManager.realms = $activeDirectoryRealm sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login

Re: Zeppelin AD users not binded to groups

New Contributor

I've noticed that it only works if last node is CN (security group) not OU (container)

Re: Zeppelin AD users not binded to groups

Explorer

We are experiencing the same issue with Zeppelin 0.7 as well. Could this be somehow related to Enterprise AD?

Can we achieve this type of authorization using LDAP authentication?