Support Questions
Find answers, ask questions, and share your expertise

Zeppelin Bug with PAM Authentication on HDP

Zeppelin Bug with PAM Authentication on HDP

New Contributor

Hi folks,

 

I've just installed a cluster with HDP 3.1 and I'm facing a problem setting PAM Authentication on Zeppelin. 

 

After setting everything (from the documentation) I got the following error:

 

=============================

INFO [2019-10-11 12:26:48,848] ({qtp466505482-23} NotebookServer.java[onOpen]:150) - New connection from 10.22.9.120 : 33070

ERROR [2019-10-11 12:27:03,661] ({qtp466505482-64} LoginRestApi.java[proceedToLogin]:181) - Exception in login: 

org.apache.shiro.authc.AuthenticationException: Authentication failed for PAM.

at org.apache.zeppelin.realm.PamRealm.doGetAuthenticationInfo(PamRealm.java:74)

at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)

at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)

at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)

at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)

at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)

at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:149)

at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:208)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)

at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)

at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)

at org.glassfish.jersey.internal.Errors.process(Errors.java:316)

at org.glassfish.jersey.internal.Errors.process(Errors.java:298)

at org.glassfish.jersey.internal.Errors.process(Errors.java:268)

at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)

at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)

at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)

at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)

at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)

at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)

at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)

at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)

at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)

at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)

at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)

at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)

at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:531)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure

at org.jvnet.libpam.PAM.check(PAM.java:106)

at org.jvnet.libpam.PAM.authenticate(PAM.java:124)

at org.apache.zeppelin.realm.PamRealm.doGetAuthenticationInfo(PamRealm.java:72)

... 82 more

 WARN [2019-10-11 12:27:03,672] ({qtp466505482-64} LoginRestApi.java[postLogin]:215) - {"status":"FORBIDDEN","message":"","body":""}

=============================

 

 

The output of /var/log/auth.log also shows some strange messages, including "unexpected response from failed conversation function".

 

=============================

Oct 11 11:56:11 hypatia-0 java: pam_unix(sshd:auth): unexpected response from failed conversation function

Oct 11 11:56:11 hypatia-0 su[32645]: Successful su for zeppelin by root

Oct 11 11:56:11 hypatia-0 su[32645]: + ??? root:zeppelin

Oct 11 11:56:11 hypatia-0 su[32645]: pam_unix(su:session): session opened for user zeppelin by (uid=0)

Oct 11 11:56:11 hypatia-0 systemd-logind[861]: New session c1695 of user zeppelin.

Oct 11 11:56:11 hypatia-0 unix_chkpwd[32634]: check pass; user unknown

Oct 11 11:56:11 hypatia-0 unix_chkpwd[32634]: password check failed for user (angelo)

Oct 11 11:56:11 hypatia-0 java: pam_unix(sshd:auth): authentication failure; logname= uid=1096 euid=1096 tty= ruser= rhost=  user=angelo

Oct 11 11:56:11 hypatia-0 su[32645]: pam_unix(su:session): session closed for user zeppelin

Oct 11 11:56:11 hypatia-0 systemd-logind[861]: Removed session c1695.

=========================================

 

 

To debug this I wrote my own java code to authenticate to PAM using the code from Shimo tutorial (https://shiro.apache.org/tutorial.html), and that one worked. I believe therefore that something in the current Zeppelin version has screwed the interface to PAM.

 

Can you get a look on it and check if there is something to do?

 

Best regards

1 REPLY 1
Highlighted

Re: Zeppelin Bug with PAM Authentication on HDP

New Contributor

I had same issue with not successful login via PAM.
I couldn’t fix it and just switched to anonymous mode.
My environment is CDH 7.1.4 trial on VirtualBox CentOS 7.8.2003 .

 

Stop Zeppelin before configuration amendment.

1. zeppelin.anonymous.allowed new value true.

shiro.ini-1.png

2. in the block zeppelin.shiro.user.block add new user admin = admin, admin

3. comment PAM configuration on zeppelin.shiro.main.block

shiro.ini-2.png

4. in the block zeppelin.shiro.roles.block new role admin = *

shiro.ini-3.png

5. in the block zeppelin.shiro.urls.block value /** = authc is changed into /** = anon

shiro.ini-4.png

Save configuration and start Zeppelin service.

shiro.ini-5-Zeppelin.png