Support Questions
Find answers, ask questions, and share your expertise

Zeppelin AD users not binded to groups

Expert Contributor

Hi,

I am using HDP 2.3.0 with Zeppelin 0.6.0. I configured LDAP/AD for users and groups. I can successfully login as AD user, but when I create role for my AD group in shiro.ini, then set permissions to the notebook only to this AD group I cannot be authorized (no roles (groups) binded to my user). Please check my configs below.

ZeppelinUser10 belongs to both AD groups - ZeppelinGroup1 and ZeppelinGroup2

shiro.ini

[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = CN=ZeppelinUser1,OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.systemPassword = mypass
activeDirectoryRealm.searchBase = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.url = ldap://myldap.com:389
activeDirectoryRealm.groupRolesMap = "CN=ZeppelinGroup1,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup1","CN=ZeppelinGroup2,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup2"
activeDirectoryRealm.authorizationCachingEnabled = true

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.url = ldap://myldap.com:389
ldapRealm.userDnTemCOMate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.authenticationMechanism = SIMPLE

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
ZeppelinGroup1 = *
ZeppelinGroup2 = *

log

ERROR [2016-09-05 15:07:02,069] ({qtp1029098726-16} LdapGroupRealm.java[getRoleNamesForUser]:89) - Error
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'OU=Users,OU=Zeppelin,DC=MYAD,DC=COM'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
        at org.apache.zeppelin.server.LdapGroupRealm.getRoleNamesForUser(LdapGroupRealm.java:67)
        at org.apache.zeppelin.server.LdapGroupRealm.queryForAuthorizationInfo(LdapGroupRealm.java:50)
        at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthorizationInfo(JndiLdapRealm.java:313)
        at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)
        at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:571)
        at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)
        at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153)
        at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224)
        at org.apache.zeppelin.utils.SecurityUtils.getRoles(SecurityUtils.java:113)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:78)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
WARN [2016-09-05 15:07:02,076] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}
16 REPLIES 16

Explorer

@Edgar Daeds: Hi Edgar, are you able to find any solution for this issue?

Expert Contributor

@Apoorv Pathak Hi, yes it is working now. I used config posted above by Roman Glova.

Explorer

Hi @Edgar Daeds: Thanks for the response. But I am unable to see any comment from Roman. Could you please paste the comment again.

Explorer

Hey @Apoorv Pathak Its in the best answer thread, just click on show more comments

I cannot get my Zeppelin shiro to map my group on HDP2.6. I used a config like shown here, but I always get "roles":"[]". Are you guys using any particular attribute in Active Directory for which groups a user is part of? We use "memberOf", and in some other definitions, such as Knox Gateway we have to configure which attribute is the group list. I am curious if Zeppelin/Shiro might be hard-coding that attribute and if that is why I can't get my users mapped to groups.

Expert Contributor

@Tom Stewart

Did you define the group names in the [roles] section?

New Contributor

This issue is reported in jira ticket

https://issues.apache.org/jira/browse/ZEPPELIN-2810 and

https://issues.apache.org/jira/browse/ZEPPELIN-2640

and some developer sent a PR for this

https://github.com/apache/zeppelin/pull/2405

this issue will be fixed in zeppelin v0.8.0 but not released now

how about wait for next release or build it yourself?

or use ldapRealm?