Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zeppelin authenicatoin

Zeppelin authenicatoin

New Contributor

Hi Am trying to authenicate zeppelin(0.7.3) with LDAP . am able to succesfull do autheicate with same LDAP configurations using apache zeppelin 0.7.3 in but not with HDP installed zeppelin.

getting null pointer exception at getListRoles in relam class. that what i observed from logging messages. but am not sure why this exception is receiving only in HDP based zeppeline installation.

Plz find attached error issue.zeppeline-error.png

7 REPLIES 7

Re: Zeppelin authenicatoin

Hi @V_A n,

I think there is a problem with your configuration for HDP. It looks like it is failing on the code to get user roles from shiro.ini.

 /***
   * Get user roles from shiro.ini for Zeppelin LdapRealm
   * @param r
   * @return
   */
  public  List<String> getRolesList(LdapRealm r) {
    List<String> roleList = new ArrayList<>();
    Map<String, String> roles = r.getListRoles();
    if (roles != null) {
      Iterator it = roles.entrySet().iterator();
      while (it.hasNext()) {
        Map.Entry pair = (Map.Entry) it.next();
        if (LOG.isDebugEnabled()) {
          LOG.debug("RoleKeyValue: " + pair.getKey() + 
                " = " + pair.getValue());
        }
        roleList.add((String) pair.getKey());
      }
    }
    return roleList;
  }

Please check the following has been done correctly for HDP.

https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

Re: Zeppelin authenicatoin

New Contributor

Hi @dvillarreal

Modified configuration to add group roles:

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername = <ldap_binding_user> (just username without @domain.com)

activeDirectoryRealm.systemPassword = <ldap_binding_password>

activeDirectoryRealm.searchBase = OU=GROUP,DC=DOMAIN,DC=COM

activeDirectoryRealm.url = ldap://ldap.domain.com:389

activeDirectoryRealm.groupRolesMap = "CN=group,DC=domain,DC=com":"admin

activeDirectoryRealm.authorizationCachingEnabled = true

activeDirectoryRealm.principalSuffix = @domain.com

securityManager.realms = $activeDirectoryRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager = $sessionManager

securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

Now am getting authenication failed exception. but with same user name and password was able to login from apache zeppelin.

Re: Zeppelin authenicatoin

New Contributor

After configuration changes getting fallowing exception:

LDAP naming error while attempting to retrieve authorization for user

Re: Zeppelin authenicatoin

New Contributor

then specified username@domain.com again getting login failed expcetion

Re: Zeppelin authenicatoin

@V_A nOn the unsecure ldap 389 port tcpdump the traffic when login fails and post it here for me to look at the error.

Highlighted

Re: Zeppelin authenicatoin

Super Collaborator

@V_A n

Value for realm "activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm" is changed in HDP2.6.x version, it is changed to "org.apache.zeppelin.realm.ActiveDirectoryGroupRealm" . Even with the above config zeppelin start should fail. not sure if the config provided is correct.

[main]
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername = <binduser>
activeDirectoryRealm.systemPassword = <Password>
activeDirectoryRealm.searchBase = DC=lab,DC=test,DC=net
activeDirectoryRealm.url = ldap://<ldapServer>
activeDirectoryRealm.principalSuffix = @lab.test.net
activeDirectoryRealm.groupRolesMap = "CN=hadoop-users,OU=groups,DC=lab,DC=test,DC=net":"group1" activeDirectoryRealm.authorizationCachingEnabled = false
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.realms = $activeDirectoryRealm
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

Re: Zeppelin authenicatoin

Super Collaborator

If you are using HDP2.6.x version, I would recommend to use LdapReam instead of ActiveDirectoryGroupRealm.

LdapRealm has more configurable options to customize the way you want to authentication with AD/Ldap.

[main]
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername=<bindUser>@lab.test.net
ldapRealm.contextFactory.systemPassword=<Password>
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url = ldap://<AD-server>
ldapRealm.authorizationEnabled=true
ldapRealm.searchBase=DC=lab,DC=test,DC=net
ldapRealm.userSearchBase=DC=lab,DC=test,DC=net
ldapRealm.groupSearchBase=DC=lab,DC=test,DC=net
ldapRealm.userObjectClass=person
ldapRealm.groupObjectClass=group
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.userSearchScope = subtree
ldapRealm.groupSearchScope = subtree
ldapRealm.userSearchFilter= (&(objectclass=user)(sAMAccountName={0}))
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.realms = $ldapRealm
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

Don't have an account?
Coming from Hortonworks? Activate your account here