Reply
Explorer
Posts: 20
Registered: ‎12-19-2017

[HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

Hello my dear gods of the Big Data!

 

I'm having the following problems:

 

Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?

 

Problem #2 - LDAP configuration. Hue isn't using my filters!?

 

LDAP Configuration:

 

Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

[desktop]
[[ldap]]
sync_groups_on_login=true
debug_level=255
trace_level=9

 

Authentication Backend (LdapBackend ldap_url) - ldap://stuff1.stuff2.stuff3:389

LDAP Username Pattern (ldap_username_pattern) - empty

Use Search Bind Authentication (search_bind_authentication) - True

Create LDAP users on login (create_users_on_login) - True

LDAP Search Base (base_dn) - dc=stuff1,dc=stuff2,dc=stuff3
LDAP Bind User Distinguished Name (bind_dn) - CN=user,OU=stuff4,DC=stuff1,DC=stuff2,DC=stuff3
LDAP Bind Password (bind_password) - •••••••••••••••••••••
LDAP User Filter (user_filter) - empty
LDAP Username Attribute (user_name_attr) - sAMAccountName
LDAP Group Filter (group_filter) - (&(objectClass=group)(cn=GBGDATA*))
LDAP Group Name Attribute (group_name_attr) - cn
LDAP Group Membership Attribute (group_member_attr) - member
 
The idea behind this configuration is to filter all accesses to users that belong to all groups which start with "GBGDATA". 

In access.log, debug shows this:
[26/Oct/2018 14:57:52 +0100] DEBUG search_s('dc=stuff1,dc=stuff2,dc=stuff3', 2, '(&(sAMAccountName=%(user)s)(objectclass=*))') returned 1 objects: cn=myuser,ou=stuff5,dc=stuff1,dc=stuff2,dc=stuff3
[26/Oct/2018 14:57:52 +0100] DEBUG Populating Django user myuser
[26/Oct/2018 14:57:53 +0100] WARNING 123.123.123.123 myuser - "POST /hue/accounts/login HTTP/1.1"-- Successful login for user: myuser
Why in the hell HUE is using:
(&(sAMAccountName=%(user)s)(objectclass=*))

Instead of what I've set above???

 

Thanks everyone!

Explorer
Posts: 20
Registered: ‎12-19-2017

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

We manage to find a... sort of... solution... I think... at least... it seems to be working.

 

Changed:

LDAP User Filter (user_filter) from empty to 

(|(memberOf=CN=GBGDATA1,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3) (memberOf=CN=GBGDATA2,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3)(memberOf=CN=GBGDATA3,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3))

 
LDAP Group Filter (group_filter) from (&(objectClass=group)(cn=GBGDATA*)) to (objectClass=group)
 
 
Is there anyway of doing this but with a wildcard *? Like GBGDATA*?
 
If we need to put more groups... this is going to become a huge pain in the a...
Explorer
Posts: 10
Registered: ‎11-07-2018

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

[ Edited ]

@JoaoBarreto

 

Did you find an answer to "Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?"

 

We are facing the same issue now 

Highlighted
Posts: 998
Topics: 1
Kudos: 249
Solutions: 126
Registered: ‎04-22-2014

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

Hi @Timothy,

 

The issue with superusers is a bug resolved in this upstream Jira:

 

https://issues.cloudera.org/browse/HUE-8675

 

There is no CDH release with the fix at this time but it is slated for CDH 6.1.1 (targeted for release in February)

If you need the fix sooner, you could try applying the changes to your code based on the upstream fix.

Explorer
Posts: 10
Registered: ‎11-07-2018

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

@JoaoBarreto   Based on our research it looks like the fix for all users being super users is in the https://github.com/cloudera/hue/commit/5fa75c3176b2065709021284803aa61e9e72f0a5#diff-ce4495f7505de11... but hasn't been merged to master.I see a lot of bugs in the newer versions. We have got several issues with the new hue version which we didnt have before. For example tls doesn't seem to work anymore and it has to be LDAPS.Our EMR is due for upgrades and all these issues are delaying the progress.

Announcements