Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zeppelin Bug with PAM Authentication on HDP

Highlighted

Zeppelin Bug with PAM Authentication on HDP

New Contributor

Hi folks,

 

I've just installed a cluster with HDP 3.1 and I'm facing a problem setting PAM Authentication on Zeppelin. 

 

After setting everything (from the documentation) I got the following error:

 

=============================

INFO [2019-10-11 12:26:48,848] ({qtp466505482-23} NotebookServer.java[onOpen]:150) - New connection from 10.22.9.120 : 33070

ERROR [2019-10-11 12:27:03,661] ({qtp466505482-64} LoginRestApi.java[proceedToLogin]:181) - Exception in login: 

org.apache.shiro.authc.AuthenticationException: Authentication failed for PAM.

at org.apache.zeppelin.realm.PamRealm.doGetAuthenticationInfo(PamRealm.java:74)

at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)

at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)

at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)

at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)

at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)

at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:149)

at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:208)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)

at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)

at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)

at org.glassfish.jersey.internal.Errors.process(Errors.java:316)

at org.glassfish.jersey.internal.Errors.process(Errors.java:298)

at org.glassfish.jersey.internal.Errors.process(Errors.java:268)

at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)

at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)

at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)

at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)

at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)

at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)

at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)

at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)

at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)

at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)

at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)

at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)

at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:531)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure

at org.jvnet.libpam.PAM.check(PAM.java:106)

at org.jvnet.libpam.PAM.authenticate(PAM.java:124)

at org.apache.zeppelin.realm.PamRealm.doGetAuthenticationInfo(PamRealm.java:72)

... 82 more

 WARN [2019-10-11 12:27:03,672] ({qtp466505482-64} LoginRestApi.java[postLogin]:215) - {"status":"FORBIDDEN","message":"","body":""}

=============================

 

 

The output of /var/log/auth.log also shows some strange messages, including "unexpected response from failed conversation function".

 

=============================

Oct 11 11:56:11 hypatia-0 java: pam_unix(sshd:auth): unexpected response from failed conversation function

Oct 11 11:56:11 hypatia-0 su[32645]: Successful su for zeppelin by root

Oct 11 11:56:11 hypatia-0 su[32645]: + ??? root:zeppelin

Oct 11 11:56:11 hypatia-0 su[32645]: pam_unix(su:session): session opened for user zeppelin by (uid=0)

Oct 11 11:56:11 hypatia-0 systemd-logind[861]: New session c1695 of user zeppelin.

Oct 11 11:56:11 hypatia-0 unix_chkpwd[32634]: check pass; user unknown

Oct 11 11:56:11 hypatia-0 unix_chkpwd[32634]: password check failed for user (angelo)

Oct 11 11:56:11 hypatia-0 java: pam_unix(sshd:auth): authentication failure; logname= uid=1096 euid=1096 tty= ruser= rhost=  user=angelo

Oct 11 11:56:11 hypatia-0 su[32645]: pam_unix(su:session): session closed for user zeppelin

Oct 11 11:56:11 hypatia-0 systemd-logind[861]: Removed session c1695.

=========================================

 

 

To debug this I wrote my own java code to authenticate to PAM using the code from Shimo tutorial (https://shiro.apache.org/tutorial.html), and that one worked. I believe therefore that something in the current Zeppelin version has screwed the interface to PAM.

 

Can you get a look on it and check if there is something to do?

 

Best regards

Don't have an account?
Coming from Hortonworks? Activate your account here