Member since
03-04-2016
165
Posts
35
Kudos Received
7
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1755 | 06-20-2017 03:08 PM | |
9003 | 05-11-2017 09:59 AM | |
8978 | 01-12-2017 01:50 PM | |
1337 | 10-26-2016 03:02 PM | |
5465 | 09-06-2016 07:40 AM |
09-06-2016
08:12 AM
I mean the environment where your Apache Ranger and the rest is installed. It can be sandbox or your Laptop's operating system if it is the place where Hadoop is installed.
... View more
09-06-2016
08:00 AM
@Hitesh Rajpurohit You need to create user with the same username in Apache Ranger. For example: you created user "testuser" in your system, then you need to create the same user (testuser) in Apache Ranger, and policies now will work for the "testuser" in your system.
... View more
09-06-2016
07:40 AM
1 Kudo
Hi, You can not create user in Ambari that will be visible in Apache Ranger. You need to create user in Apache Ranger and then in your local system (with the same username), or you can synchronize users with Active Directory. To create user in Apache Ranger you need to have admin privileges, then go to Settings -> Users/Groups and "Add New User"
... View more
09-06-2016
07:20 AM
@prabhjyot singh thanks for the answer but nothing happens when I commented out all ldapRealm*. I stil receive that user has no roles (does not belong to group). WARN [2016-09-06 09:20:19,042] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}
... View more
09-05-2016
03:07 PM
and every 10 seconds I got this error in log: ERROR [2016-09-05 17:07:16,486] ({qtp1029098726-14} NotebookServer.java[onMessage]:211) - Can't handle message
java.lang.Exception: Invalid ticket 8f240ec6-33f2-485e-a9e5-21f88b885b9f != 580fd7ff-0457-4f6b-9796-e796b928af4d
at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:117)
at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(NotebookSocket.java:56)
at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.messageComplete(SimpleTextMessage.java:69)
at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.appendMessage(AbstractEventDriver.java:65)
at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.incomingFrame(AbstractEventDriver.java:161)
at org.eclipse.jetty.websocket.common.WebSocketSession.incomingFrame(WebSocketSession.java:309)
at org.eclipse.jetty.websocket.common.extensions.ExtensionStack.incomingFrame(ExtensionStack.java:214)
at org.eclipse.jetty.websocket.common.Parser.notifyFrame(Parser.java:220)
at org.eclipse.jetty.websocket.common.Parser.parse(Parser.java:258)
at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.java:632)
at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.java:480)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
... View more
09-05-2016
01:21 PM
2 Kudos
Hi, I am using HDP 2.3.0 with Zeppelin 0.6.0. I configured LDAP/AD for users and groups. I can successfully login as AD user, but when I create role for my AD group in shiro.ini, then set permissions to the notebook only to this AD group I cannot be authorized (no roles (groups) binded to my user). Please check my configs below. ZeppelinUser10 belongs to both AD groups - ZeppelinGroup1 and ZeppelinGroup2 shiro.ini [main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = CN=ZeppelinUser1,OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.systemPassword = mypass
activeDirectoryRealm.searchBase = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
activeDirectoryRealm.url = ldap://myldap.com:389
activeDirectoryRealm.groupRolesMap = "CN=ZeppelinGroup1,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup1","CN=ZeppelinGroup2,OU=Groups,OU=Zeppelin,DC=MYAD,DC=COM":"ZeppelinGroup2"
activeDirectoryRealm.authorizationCachingEnabled = true
### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.url = ldap://myldap.com:389
ldapRealm.userDnTemCOMate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD,DC=COM
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
role1 = *
role2 = *
role3 = *
ZeppelinGroup1 = *
ZeppelinGroup2 = *
log ERROR [2016-09-05 15:07:02,069] ({qtp1029098726-16} LdapGroupRealm.java[getRoleNamesForUser]:89) - Error
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'OU=Users,OU=Zeppelin,DC=MYAD,DC=COM'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
at org.apache.zeppelin.server.LdapGroupRealm.getRoleNamesForUser(LdapGroupRealm.java:67)
at org.apache.zeppelin.server.LdapGroupRealm.queryForAuthorizationInfo(LdapGroupRealm.java:50)
at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthorizationInfo(JndiLdapRealm.java:313)
at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)
at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:571)
at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)
at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153)
at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224)
at org.apache.zeppelin.utils.SecurityUtils.getRoles(SecurityUtils.java:113)
at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
WARN [2016-09-05 15:07:02,076] ({qtp1029098726-16} LoginRestApi.java[postLogin]:112) - {"status":"OK","message":"","body":{"principal":"ZeppelinUser10","ticket":"753601d0-5958-4092-bf32-1f5b84b6a8f1","roles":"[]"}}
... View more
Labels:
- Labels:
-
Apache Zeppelin
08-18-2016
03:06 PM
1 Kudo
Hi all! I can confirm that Zeppelin LDAP authentication works with HDP stack version 2.3.0. The only problem is that when I use LdapGroupRealm with ldapRealm.contextFactory.environment set to OU with groups only, I can access to Zeppelin as users from any other OU and these users are not a members of any group. When I use JndiLdapRealm I have access as users only from OU set in userDnTemplate, which is ok. Below my shiro.ini config for the first situation which I described ### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
#ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = cn={0},OU=Groups,OU=Zeppelin,DC=MYAD1,DC=COM
ldapRealm.contextFactory.url = ldap://192.168.1.100:389
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
#ldapRealm.userDnTemplate = cn={0},OU=Users,OU=Zeppelin,DC=MYAD1,DC=COM
My question is: does default shiro realm (LdapGroupRealm or JndiLdapRealm) support filtering? I would like to filter users to authenticate. Perfectly would be if I could authenticate users by groups they belong to. Should I use external .jar? I use Zeppelin 0.6.0 with HDP stack 2.3.0.
... View more
Labels:
08-12-2016
03:29 PM
@Sunile Manjee Thank you for answer. So there is no way to authenticate Zeppelin via LDAP+AD in HDP stack 2.3.0 or 2.3.2? And that is why I can't see shiro.ini in my conf folder?
... View more
08-12-2016
03:21 PM
@Sunile Manjee I installed zeppelin-0.6.0-incubating-SNAPSHOT.tar.gz tarball. As I read LDAP authentication is currently available for HDP version 2.4 source
... View more
08-12-2016
03:13 PM
Hi, My cluster is not Kerberized. I am using HDP 2.3.0 with Ambari 2.1.1. I updated Spark to 1.6.0 (from HDP 2.4 stack) and installed Zeppelin from this tutorial. I have a problem with authentication. When I set zeppelin.anonymous.allowed to false in Ambari, and restart Zeppelin I can still access Zeppelin without providing credentials. Also I want to configure authentication via Active Directory but I can't find shiro.ini file. Zeppelin is installed in /opt/zeppelin. My questions are: 1. Is AD or any authentication method supported for Zeppelin for components versions in my case? 2. Is AD authentication supported in HDP 2.3.2? 3. Does Zeppelin works with Spark version 1.3.1? 4. Why I can't see shiro.ini in conf directory? Whats strange: In Ambari -> Add services I see Zeppelin Notebook in version 0.0.10 Thank you in advance!
... View more
Labels: