Support Questions

Find answers, ask questions, and share your expertise

Zeppelin AD users not binded to groups

avatar
Super Collaborator

Hi,

I am using HDP 2.3.0 with Zeppelin 0.6.0. I configured LDAP/AD for users and groups. I can successfully login as AD user, but when I create role for my AD group in shiro.ini, then set permissions to the notebook only to this AD group I cannot be authorized (no roles (groups) binded to my user). Please check my configs below.

ZeppelinUser10 belongs to both AD groups - ZeppelinGroup1 and ZeppelinGroup2

shiro.ini

[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = CN=ZeppelinUser1,OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.systemPassword = mypass
activeDirectoryRealm.searchBase = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.url = ldap://myldap.com:389
activeDirectoryRealm.groupRolesMap = "CN=ZeppelinGroup1,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup1","CN=ZeppelinGroup2,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup2"
activeDirectoryRealm.authorizationCachingEnabled = true

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.url = ldap://myldap.com:389
ldapRealm.userDnTemCOMate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.authenticationMechanism = SIMPLE

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
ZeppelinGroup1 = *
ZeppelinGroup2 = *

log

ERROR [2016-09-05 15:07:02,069] ({qtp1029098726-16} LdapGroupRealm.java[getRoleNamesForUser]:89) - Error
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'OU=Users,OU=Zeppelin,DC=MYAD,DC=COM'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
        at org.apache.zeppelin.server.LdapGroupRealm.getRoleNamesForUser(LdapGroupRealm.java:67)
        at org.apache.zeppelin.server.LdapGroupRealm.queryForAuthorizationInfo(LdapGroupRealm.java:50)
        at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthorizationInfo(JndiLdapRealm.java:313)
        at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)
        at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:571)
        at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)
        at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153)
        at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224)
        at org.apache.zeppelin.utils.SecurityUtils.getRoles(SecurityUtils.java:113)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:78)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
WARN [2016-09-05 15:07:02,076] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}
1 ACCEPTED SOLUTION

avatar
Cloudera Employee

@Edgar Daeds instead of using both activeDirectoryRealm and ldapRealm can you user one. In this case it looks like you may want to authenticate to a AD server, hence just use activeDirectoryRealm and comment out the other ldapRealm*. and then check.

View solution in original post

16 REPLIES 16

avatar
Super Collaborator

and every 10 seconds I got this error in log:

ERROR [2016-09-05 17:07:16,486] ({qtp1029098726-14} NotebookServer.java[onMessage]:211) - Can't handle message
java.lang.Exception: Invalid ticket 8f240ec6-33f2-485e-a9e5-21f88b885b9f != 580fd7ff-0457-4f6b-9796-e796b928af4d
        at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:117)
        at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(NotebookSocket.java:56)
        at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
        at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.messageComplete(SimpleTextMessage.java:69)
        at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.appendMessage(AbstractEventDriver.java:65)
        at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
        at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.incomingFrame(AbstractEventDriver.java:161)
        at org.eclipse.jetty.websocket.common.WebSocketSession.incomingFrame(WebSocketSession.java:309)
        at org.eclipse.jetty.websocket.common.extensions.ExtensionStack.incomingFrame(ExtensionStack.java:214)
        at org.eclipse.jetty.websocket.common.Parser.notifyFrame(Parser.java:220)
        at org.eclipse.jetty.websocket.common.Parser.parse(Parser.java:258)
        at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.java:632)
        at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.java:480)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)

avatar
Cloudera Employee

This error "Invalid ticket 8f240ec6-33f2-485e-a9e5-21f88b885b9f != 580fd7ff-0457-4f6b-9796-e796b928af4d" comes for various reasons, but one of the most common being a one of you browser tab is still active after zeppelin-server restart.

avatar
Cloudera Employee

@Edgar Daeds instead of using both activeDirectoryRealm and ldapRealm can you user one. In this case it looks like you may want to authenticate to a AD server, hence just use activeDirectoryRealm and comment out the other ldapRealm*. and then check.

avatar
Super Collaborator

@prabhjyot singh thanks for the answer but nothing happens when I commented out all ldapRealm*. I stil receive that user has no roles (does not belong to group).

WARN [2016-09-06 09:20:19,042] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}

avatar
Cloudera Employee

Could you try the same with ZeppelinUser10@`realm`, where the realm is the name that you would have used to setup AD, and if this works set this property in your shiro.ini

activeDirectoryRealm.principalSuffix = @realm

avatar
Super Collaborator

@prabhjyot singh

I can log in as user@myad.com but when I set "activeDirectoryRealm.principalSuffix = @myad.com" I cant log in ("LDAP Error 49 52e" and "LDAP naming error while attempting to retrieve authorization for user [ZeppelinUser10].")

avatar
Explorer

here is my working config

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = <ldap_binding_user> (just username without @domain.com) activeDirectoryRealm.systemPassword = <ldap_binding_password> activeDirectoryRealm.searchBase = OU=GROUP,DC=DOMAIN,DC=COM activeDirectoryRealm.url = ldap://ldap.domain.com:389 activeDirectoryRealm.groupRolesMap = "CN=group,DC=domain,DC=com":"admin activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @domain.com securityManager.realms = $activeDirectoryRealm sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login

avatar
New Contributor

I've noticed that it only works if last node is CN (security group) not OU (container)

avatar
Explorer

We are experiencing the same issue with Zeppelin 0.7 as well. Could this be somehow related to Enterprise AD?

Can we achieve this type of authorization using LDAP authentication?