Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

knox AD auth HTTP ERROR 403

Highlighted

knox AD auth HTTP ERROR 403

New Contributor

Hello

I am trying login services(for example zeppelin in this case) through knox gateway which is configured to use active directory

when I enter zeppelin web UI with link https://knoxhost:8443/gateway/default/zeppelin/#/ zeppelin web page appears successfully, but when I enter user and password(which exists in the AD) zeppelin says "The username and password that you entered don't match."

from CLI curl:

[root@hdp3 ~]# curl -ku user:pass 'https://knoxhost:8443/gateway/default/zeppelin/#/'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 403 Forbidden</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /gateway/default/zeppelin/. Reason:
<pre>    Forbidden</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>


</body>
</html>

here is knox advanced topology configuration

     <topology>


            <gateway>


<provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>


            <param>
                    <name>main.ldapRealm</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>


            <param>
                    <name>main.ldapContextFactory</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>


            <param>
                    <name>main.ldapRealm.contextFactory</name>
                    <value>$ldapContextFactory</value>
            </param>


               <param>
                    <name>main.ldapRealm.contextFactory.url</name>
                    <value>ldap://activedirectory:389</value>
            </param>


            <param>
                    <name>main.ldapRealm.contextFactory.systemUsername</name>
                    <value>CN=systemuser,OU=systemusers,DC=ab,DC=cd</value>
            </param>


            <param>
                    <name>main.ldapRealm.contextFactory.systemPassword</name>
                    <value>password</value>
            </param>


            <param>
                    <name>main.ldapRealm.userSearchBase</name>
                    <value>OU=users,OU=normalusersandgroups,DC=ab,DC=cd</value>
            </param>


            <param>
                    <name>main.ldapRealm.userSearchAttributeName</name>
                    <value>sAMAccountName</value>
            </param>


            <param>
                    <name>main.ldapRealm.userObjectClass</name>
                    <value>person</value>
            </param>




            <param>
                    <name>main.ldapRealm.authorizationEnabled</name>
                    <value>true</value>
            </param>


            <param>
                    <name>main.ldapRealm.groupSearchBase</name>
                    <value>OU=groups,OU=normalusersandgroups,DC=ab,DC=cd</value>
            </param>


            <param>
                    <name>main.ldapRealm.groupObjectClass</name>
                    <value>group</value>
            </param>


            <param>
                    <name>main.ldapRealm.groupIdAttribute</name>
                    <value>sAMAccountName</value>
            </param>


            <param>
                    <name>main.ldapRealm.memberAttribute</name>
                    <value>member</value>
            </param>


            <param>
                     <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                     <value>simple</value>
            </param>


            <param>
                    <name>main.cacheManager</name>
                    <value>org.apache.shiro.cache.ehcache.EhCacheManager</value>
            </param>


            <param>
                    <name>main.securityManager.cacheManager</name>
                    <value>$cacheManager</value>
            </param>


            <param>
                    <name>main.ldapRealm.authenticationCachingEnabled</name>
                    <value>true</value>
            </param>


            <param>
                    <name>urls./**</name>
                    <value>authcBasic</value>
            </param>


        </provider>
       </provider>


                <provider>
                    <role>identity-assertion</role>
                    <name>Default</name>
                    <enabled>true</enabled>
                </provider>


                <provider>
                    <role>authorization</role>
                    <name>AclsAuthz</name>
                    <enabled>true</enabled>


                    <param> 
                      <name>knox.acl</name>
                      <value>*;hadoopgroup;*</value>
                     </param>


                    <param> 
                      <name>zeppelin.acl</name>
                      <value>*;hadoopgroup;*</value>
                     </param>


                    <param> 
                      <name>zeppelinui.acl</name>
                      <value>*;hadoopgroup;*</value>
                     </param>


                </provider>

      </gateway>
            <service>
                <role>ZEPPELIN</role>
                <url>http://zeppelin:9995</url>
            </service>




            <service>
                <role>ZEPPELINUI</role>
                <url>http://zeppelin:9995</url>
            </service>


            <service>
                <role>ZEPPELINWS</role>
                {{zeppelin_ws_urls}}
            </service>


        </topology>

the gateway-audit.log:

17/06/16 16:16:58 ||d4dca7d6-ea10-4ace-8fb9-b5dc831c49ec|audit|ZEPPELINUI||||access|uri|/gateway/default/zeppelin/api/login|success|Response status: 403
17/06/16 16:26:06 ||75b9e211-86c2-4b5f-a030-dd63207cecb9|audit|ZEPPELINUI||||access|uri|/gateway/default/zeppelin/api/login|unavailable|Request method: POST
17/06/16 16:26:06 ||75b9e211-86c2-4b5f-a030-dd63207cecb9|audit|ZEPPELINUI||||authorization|uri|/gateway/default/zeppelin/api/login|failure|
17/06/16 16:26:06 ||75b9e211-86c2-4b5f-a030-dd63207cecb9|audit|ZEPPELINUI||||access|uri|/gateway/default/zeppelin/api/login|success|Response status: 403
17/06/16 16:44:42 ||bec96d97-f747-4947-8521-a92c75c59df8|audit|ZEPPELINUI||||access|uri|/gateway/default/zeppelin/api/login|unavailable|Request method: POST
17/06/16 16:44:42 ||bec96d97-f747-4947-8521-a92c75c59df8|audit|ZEPPELINUI||||authorization|uri|/gateway/default/zeppelin/api/login|failure|
17/06/16 16:44:42 ||bec96d97-f747-4947-8521-a92c75c59df8|audit|ZEPPELINUI||||access|uri|/gateway/default/zeppelin/api/login|success|Response status: 403
17/06/16 16:44:50 ||53362922-0f96-488a-84aa-031163e865e6|audit|ZEPPELINUI||||access|uri|/gateway/default/zeppelin/|unavailable|Request method: GET
17/06/16 16:44:50 ||53362922-0f96-488a-84aa-031163e865e6|audit|ZEPPELINUI||||authorization|uri|/gateway/default/zeppelin/|failure|
17/06/16 16:44:50 ||53362922-0f96-488a-84aa-031163e865e6|audit|ZEPPELINUI||||access|uri|/gateway/default/zeppelin/|success|Response status: 403

P.S. I changed "OU=users,OU=normalusersandgroups,DC=ab,DC=cd" above but it is correct I use these parameters in other services and works properly

plz help if you have any idea thank you

Don't have an account?
Coming from Hortonworks? Activate your account here