Member since
02-21-2017
25
Posts
4
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1838 | 05-14-2017 10:45 PM |
06-27-2017
03:07 AM
1 Kudo
I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated.
... View more
Labels:
- Labels:
-
Apache Zeppelin
06-04-2017
11:25 PM
@m b The "best option" depends on your requirement. If you dont need column level security, centralized administration of security policies then you can opt for just SQL Standard authorization. Make a list of your requirements first and then compare your options to decide which one suits your requirements best. If you are using Cloudera, you have other options like Sentry and RecordService: https://stackoverflow.com/questions/39326456/how-to-choose-between-apache-ranger-and-sentry There is no single document to help you make this decision. You will have to gather your requirements and then compare the feature-list of all your options to decide which one is best for your requirements. I hope this helps.
... View more
06-02-2017
06:15 AM
This may help you: http://ranger.apache.org/faq.html#How_does_Apache_Ranger_authorization_compare_to_SQL_standard_authorization Ranger provides more granular access control at column level where as SQL standard authorization provides grant/revoke functionality at database, table level.
... View more
05-14-2017
10:45 PM
The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config.
... View more
05-05-2017
04:19 AM
The "Cluster CPU" visualization displayed in YARN Summary shows an average utilization of 50% always even when the data nodes are idle. The "CPU Usage" of individual data nodes are close to zero when no jobs are running as seen on "Summary" tab for the host in Ambari. Then why does the "Cluster CPU" graph always show 50% as the avg ? What exactly it is trying to depict ? The definition says "Percentage of CPU utilized across all NodeManager hosts.". So, when it says 50% avg, does that mean (for example) 4 CPUs out of 8 total CPUs of all NodeManager hosts are being used ?
... View more
Labels:
- Labels:
-
Apache Ambari
-
Apache YARN
05-02-2017
03:33 AM
@Kshitij Badani Thanks Kshitij for your response. I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1. Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group. Do you have any suggestion for me to trouble shoot this ?
... View more
05-01-2017
12:17 AM
I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks.
I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner.
When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user.
Below mentioned is my Shiro configuration: [users] admin = password1 [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = user1 activeDirectoryRealm.systemPassword = pwd #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636 activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realms = $activeDirectoryRealm
[roles] admin = * [urls] /api/version = anon /api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon
/** = authc
I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook: DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true])
DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE
DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1 DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2 DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << []
INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN]
DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>} However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs: DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin]
The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version.
Please see the defect URL here: https://github.com/apache/zeppelin/pull/986 Any help is appreciated.
... View more
Labels:
- Labels:
-
Apache Zeppelin
04-28-2017
03:35 AM
1 Kudo
The exception is clearly saying: 26 Apr 2017 22:02:38 ERROR CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/hdp/current/ranger-usersync/conf/mytruststore.jks] You are using 'ldaps" and therefore you need to add the AD's SSL certificate to the above mentioned trust store file using the command: # keytool -import -trustcacerts -file <path_to_cert> -keystore /usr/hdp/current/ranger-usersync/conf/mytruststore.jks
... View more
04-28-2017
02:25 AM
Generally, it is not a good practice to have space in LDAP user name. However, in my env, ambari is not considering space as delimiter i.e it is able to consider the full name in the syn request (though it fails as I have used a dummy user): Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing specified users and groups... ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. Couldn't sync LDAP user xxxx yyyy, it doesn't exist Please open your users.txt file in VI editor and check for any commas in between the first name and the last name. If it is all good, then please check the below mentioned properties in your ambari.properties: authentication.ldap.userObjectClass=user authentication.ldap.usernameAttribute=sAMAccountName
... View more
04-27-2017
05:22 AM
1 Kudo
You just need to specify comma separated user names: user1, user2,..........,userN Note that it is just the user name and NOT the full DN of the user. If you are getting the "user doesn't exist' error, please check your ambari.properties for ldap configuration. It is most likely that the baseDN specified has the groups under it but not the users. Please correct the baseDN in that case.
... View more
04-26-2017
01:45 AM
Yes, you can. SCP the file to any of the data nodes and then run your shell script to validate it. The file will be available in HDFS only when you use the "hadoop fs -put" command and put it into the HDFS.
... View more
04-21-2017
11:48 PM
My suggestion was based on your ambari properties in which the baseDN is set to "OU=Users,OU=Enterprise,DC=hq,DC=group". Please remove the "OU" part from your baseDN as your users and groups are in different OUs (again, based on your ambari properties).
... View more
04-21-2017
01:48 AM
Please set the baseDn to "DC=hq,DC=group" in your ambari.properties and give it a try.
... View more
04-19-2017
10:44 PM
The value for the property "authentication.ldap.groupNamingAttr" in your config does not look right. I have the below config and it works fine for me: authentication.ldap.groupNamingAttr=cn
... View more
04-19-2017
10:20 PM
This may help you : https://community.hortonworks.com/questions/36464/how-to-use-nifi-to-incrementally-ingest-data-from.html
... View more
04-19-2017
10:17 PM
Try logging in to ambari web UI using the same credentials (admin/<passwd>) and see if you are able to login. If not, then definitely the password is wrong.
... View more
04-19-2017
02:22 AM
If you are trying to sync just a single group, make sure there are no spaces at the end of the group name in groups.txt
... View more
04-06-2017
10:50 PM
@rguruvannagari I changed all the 'info' and 'warn' values under 'Advanced admin-log4j' to 'debug' (not just the root logger). Only then I started seeing detailed exceptions. After I pointed ranger admin to the right truststore file, I had not updated the password. The debug enabled logs clearly showed that the trust store password was wrong. I updated the correct password and now I am able to login as AD user. Thanks a lot ! Regards, Ekantheshwara Basappa
... View more
04-06-2017
07:09 AM
@rguruvannagari Thanks for responding to my question. You are right. The usersync config was pointing to the right trust store file while ranger admin was pointing to a wrong one. I pointed ranger admin to the right one. And I set the User Search Filter with the value sAMAccountName={0}. However, I continue to get the same error. Also, when I set the root Logger to debug mode(under Advanced admin-log4j), the generated logs are not very helpful. This is what I get: 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:346) - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:347) - Updated SecurityContextHolder to contain null Authentication
2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:348) - Delegating to authentication failure handler org.apache.ranger.security.web.authentication.RangerAuthFailureHandler@22c447dd
2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:74) - commence() X-Requested-With=XMLHttpRequest
2017-04-03 09:29:58,714 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:114) - Sending login failed response : {"statusCode":401,"msgDesc":"The username or password you entered is incorrect.."}
How do I get the detailed log so that I know what exactly is the problem ? Regards,
Ekanth
... View more
04-06-2017
04:31 AM
@Rockie Yang I followed the instructions mentioned in: https://github.com/knockdata/spark-highcharts/blob/master/docs/UseInZeppelin.md I get the below exception in Zeppelin log file: INFO [2017-04-06 14:20:13,957] ({qtp1577213552-14} AuthorizingRealm.java[getAuthorizationCacheLazy]:248) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained.
INFO [2017-04-06 14:20:14,354] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:126) - Update interpreterSetting 2C8335TJY
ERROR [2017-04-06 14:20:14,385] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:136) - Exception in InterpreterRestApi while updateSetting
org.apache.zeppelin.interpreter.InterpreterException: org.apache.thrift.transport.TTransportException
at org.apache.zeppelin.interpreter.remote.RemoteInterpreter.cancel(RemoteInterpreter.java:329)
at org.apache.zeppelin.interpreter.LazyOpenInterpreter.cancel(LazyOpenInterpreter.java:100)
at org.apache.zeppelin.notebook.Paragraph.jobAbort(Paragraph.java:332)
at org.apache.zeppelin.scheduler.Job.abort(Job.java:239)
at org.apache.zeppelin.interpreter.InterpreterFactory.stopJobAllInterpreter(InterpreterFactory.java:829)
at org.apache.zeppelin.interpreter.InterpreterFactory.setPropertyAndRestart(InterpreterFactory.java:790)
at org.apache.zeppelin.rest.InterpreterRestApi.updateSetting(InterpreterRestApi.java:131)
at ......................... Any suggestions to resolve this ? Thanks, Ekantheshwara
... View more
04-05-2017
10:52 PM
@santosh nukala @Avijeet Dash @spolavarapu @Sagar Shimpi Any ideas ?
... View more
04-04-2017
02:54 AM
I am using AD authentication for Ranger in HDP 2.5.0. The UserSync works fine and I am able to see the AD Users and Groups in Ranger.
However, I am not able to login as an AD User. The UI says "The username or password you entered is incorrect". The log says:
2017-03-31 12:20:22,008 [http-bio-6080-exec-4] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:d786090 | Ip Address:10.60.179.195 | Bad Credentials
I have tried the suggestions mentioned in the below URLs: https://community.hortonworks.com/questions/27382/can-not-login-to-ranger-using-ldap-or-ad-user-afte.html
and
https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html As mentioned in the above URLs, I have tried the below mentioned values for the "User Search Filter":
(uid=*) sAMAccountName={0} space
But that did not help. Can anyone help ? Please note I am using "ldaps" i.e. my AD URL is of the format "ldaps://<AD Host>:636"
Thanks, Ekantheshwara
... View more
Labels:
- Labels:
-
Apache Ranger
02-21-2017
05:09 AM
Does this include View DDLs?
... View more