Support Questions
Find answers, ask questions, and share your expertise

Zeppelin Bug with PAM Authentication on HDP

New Contributor

Hi folks,

 

I've just installed a cluster with HDP 3.1 and I'm facing a problem setting PAM Authentication on Zeppelin. 

 

After setting everything (from the documentation) I got the following error:

 

=============================

INFO [2019-10-11 12:26:48,848] ({qtp466505482-23} NotebookServer.java[onOpen]:150) - New connection from 10.22.9.120 : 33070

ERROR [2019-10-11 12:27:03,661] ({qtp466505482-64} LoginRestApi.java[proceedToLogin]:181) - Exception in login: 

org.apache.shiro.authc.AuthenticationException: Authentication failed for PAM.

at org.apache.zeppelin.realm.PamRealm.doGetAuthenticationInfo(PamRealm.java:74)

at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)

at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)

at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)

at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)

at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)

at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)

at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:149)

at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:208)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)

at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)

at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)

at org.glassfish.jersey.internal.Errors.process(Errors.java:316)

at org.glassfish.jersey.internal.Errors.process(Errors.java:298)

at org.glassfish.jersey.internal.Errors.process(Errors.java:268)

at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)

at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)

at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)

at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)

at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)

at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)

at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)

at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)

at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)

at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)

at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)

at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)

at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:531)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure

at org.jvnet.libpam.PAM.check(PAM.java:106)

at org.jvnet.libpam.PAM.authenticate(PAM.java:124)

at org.apache.zeppelin.realm.PamRealm.doGetAuthenticationInfo(PamRealm.java:72)

... 82 more

 WARN [2019-10-11 12:27:03,672] ({qtp466505482-64} LoginRestApi.java[postLogin]:215) - {"status":"FORBIDDEN","message":"","body":""}

=============================

 

 

The output of /var/log/auth.log also shows some strange messages, including "unexpected response from failed conversation function".

 

=============================

Oct 11 11:56:11 hypatia-0 java: pam_unix(sshd:auth): unexpected response from failed conversation function

Oct 11 11:56:11 hypatia-0 su[32645]: Successful su for zeppelin by root

Oct 11 11:56:11 hypatia-0 su[32645]: + ??? root:zeppelin

Oct 11 11:56:11 hypatia-0 su[32645]: pam_unix(su:session): session opened for user zeppelin by (uid=0)

Oct 11 11:56:11 hypatia-0 systemd-logind[861]: New session c1695 of user zeppelin.

Oct 11 11:56:11 hypatia-0 unix_chkpwd[32634]: check pass; user unknown

Oct 11 11:56:11 hypatia-0 unix_chkpwd[32634]: password check failed for user (angelo)

Oct 11 11:56:11 hypatia-0 java: pam_unix(sshd:auth): authentication failure; logname= uid=1096 euid=1096 tty= ruser= rhost=  user=angelo

Oct 11 11:56:11 hypatia-0 su[32645]: pam_unix(su:session): session closed for user zeppelin

Oct 11 11:56:11 hypatia-0 systemd-logind[861]: Removed session c1695.

=========================================

 

 

To debug this I wrote my own java code to authenticate to PAM using the code from Shimo tutorial (https://shiro.apache.org/tutorial.html), and that one worked. I believe therefore that something in the current Zeppelin version has screwed the interface to PAM.

 

Can you get a look on it and check if there is something to do?

 

Best regards

1 REPLY 1

New Contributor

I had same issue with not successful login via PAM.
I couldn’t fix it and just switched to anonymous mode.
My environment is CDH 7.1.4 trial on VirtualBox CentOS 7.8.2003 .

 

Stop Zeppelin before configuration amendment.

1. zeppelin.anonymous.allowed new value true.

shiro.ini-1.png

2. in the block zeppelin.shiro.user.block add new user admin = admin, admin

3. comment PAM configuration on zeppelin.shiro.main.block

shiro.ini-2.png

4. in the block zeppelin.shiro.roles.block new role admin = *

shiro.ini-3.png

5. in the block zeppelin.shiro.urls.block value /** = authc is changed into /** = anon

shiro.ini-4.png

Save configuration and start Zeppelin service.

shiro.ini-5-Zeppelin.png

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.