Created 07-10-2017 12:53 PM
I am using Zeppelin 0.7.1 configured AD authentication and HDP 2.5 with Kerberos. When I simply run "show databases" as "user1" I got error: "Permission denied: user [user1@MYDOMAIN.COM] does not have [USE] [...]". On my other cluster with the same configuration "user1" is treated as "user1" (without @MYDOMAIN.COM) so my policies are working good. Any ideas what could be the reason?
I have also noticed that hive interpreter is logging to separate log file on working cluster, while the cluster with not working Hive interpreter is logging to main Zeppelin log file (where authentication is logged etc.).
Created 07-12-2017 03:23 PM
It is likely you are logging into Zeppelin as user1@MYDOMAIN.COM but the access to databases are for user1. If that is the case you would need to reconfigure your shiro_ini to enable you getting authenticated to Zeppelin as user1 WITHOUT the domain. The following property would do that for you:
activeDirectoryRealm.principalSuffix = @mydomain.com
I hope this helps.
Created 07-13-2017 05:37 AM
Thank you for answer. Exactly, I am logging in as user1@MYDOMAIN.COM. However when I set
activeDirectoryRealm.principalSuffix = @MYDOMAIN.COM
I cant log in using user1, or even user1@MYDOMAIN.COM (ldap error 49, 52e). When I delete above parameter I can log in using @MYDOMAIN.COM upper, lower or mixed cases.
Created 07-13-2017 06:52 AM
ldap error 49, 52e - it is your systemUsername and systemPassword are incorrect. Basically, including the above parameter you need to provide systemUsername WITHOUT domain name.
Created 07-14-2017 12:32 PM
Still not working. I workaround this by setting local system authentication (which is SSSD). Now I can log in using just username without domain
Created 07-14-2017 12:38 PM