ekanthb
Contributor
My Accepted Solutions
Show All

How to configure groups and roles mapping using ld...

by Contributor in Support Questions
‎06-27-2017 03:07 AM
1 Kudo
‎06-27-2017 03:07 AM
1 Kudo
I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated. ... View more
Labels:

Re: Is Ranger is the right approach for Hive secur...

by Contributor in Support Questions
‎06-04-2017 11:25 PM
‎06-04-2017 11:25 PM
@m b The "best option" depends on your requirement. If you dont need column level security, centralized administration of security policies then you can opt for just SQL Standard authorization. Make a list of your requirements first and then compare your options to decide which one suits your requirements best. If you are using Cloudera, you have other options like Sentry and RecordService: https://stackoverflow.com/questions/39326456/how-to-choose-between-apache-ranger-and-sentry There is no single document to help you make this decision. You will have to gather your requirements and then compare the feature-list of all your options to decide which one is best for your requirements. I hope this helps. ... View more

Re: Is Ranger is the right approach for Hive secur...

by Contributor in Support Questions
‎06-02-2017 06:15 AM
‎06-02-2017 06:15 AM
This may help you: http://ranger.apache.org/faq.html#How_does_Apache_Ranger_authorization_compare_to_SQL_standard_authorization Ranger provides more granular access control at column level where as SQL standard authorization provides grant/revoke functionality at database, table level. ... View more

Re: Zeppelin notebook permissions not effective

by Contributor in Support Questions
‎05-14-2017 10:45 PM
‎05-14-2017 10:45 PM
The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config. ... View more

What is the meaning of "Cluster CPU" visualization...

by Contributor in Support Questions
‎05-05-2017 04:19 AM
‎05-05-2017 04:19 AM
The "Cluster CPU" visualization displayed in YARN Summary shows an average utilization of 50% always even when the data nodes are idle. The "CPU Usage" of individual data nodes are close to zero when no jobs are running as seen on "Summary" tab for the host in Ambari. Then why does the "Cluster CPU" graph always show 50% as the avg ? What exactly it is trying to depict ? The definition says "Percentage of CPU utilized across all NodeManager hosts.". So, when it says 50% avg, does that mean (for example) 4 CPUs out of 8 total CPUs of all NodeManager hosts are being used ? ... View more
Labels:

Re: Zeppelin notebook permissions not effective

by Contributor in Support Questions
‎05-02-2017 03:33 AM
‎05-02-2017 03:33 AM
@Kshitij Badani Thanks Kshitij for your response. I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1. Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group. Do you have any suggestion for me to trouble shoot this ? ... View more

Zeppelin notebook permissions not effective

by Contributor in Support Questions
‎05-01-2017 12:17 AM
‎05-01-2017 12:17 AM
I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks. I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner. When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user. Below mentioned is my Shiro configuration: [users] admin = password1 [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = user1 activeDirectoryRealm.systemPassword = pwd #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636 activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realms = $activeDirectoryRealm [roles] admin = * [urls] /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon /** = authc I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook: DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true]) DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1 DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2 DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << [] INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN] DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>} However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs: DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin] The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version. Please see the defect URL here: https://github.com/apache/zeppelin/pull/986 Any help is appreciated. ... View more
Labels:

Re: Active Directory integrated with Ranger - User...

by Contributor in Support Questions
‎04-28-2017 03:35 AM
1 Kudo
‎04-28-2017 03:35 AM
1 Kudo
The exception is clearly saying: 26 Apr 2017 22:02:38 ERROR CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/hdp/current/ranger-usersync/conf/mytruststore.jks] You are using 'ldaps" and therefore you need to add the AD's SSL certificate to the above mentioned trust store file using the command: # keytool -import -trustcacerts -file <path_to_cert> -keystore /usr/hdp/current/ranger-usersync/conf/mytruststore.jks ... View more

Re: Unable to Sync LDAP with Ambari

by Contributor in Support Questions
‎04-28-2017 02:25 AM
‎04-28-2017 02:25 AM
Generally, it is not a good practice to have space in LDAP user name. However, in my env, ambari is not considering space as delimiter i.e it is able to consider the full name in the syn request (though it fails as I have used a dummy user): Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing specified users and groups... ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. Couldn't sync LDAP user xxxx yyyy, it doesn't exist Please open your users.txt file in VI editor and check for any commas in between the first name and the last name. If it is all good, then please check the below mentioned properties in your ambari.properties: authentication.ldap.userObjectClass=user authentication.ldap.usernameAttribute=sAMAccountName ... View more

Re: Unable to Sync LDAP with Ambari

by Contributor in Support Questions
‎04-27-2017 05:22 AM
1 Kudo
‎04-27-2017 05:22 AM
1 Kudo
You just need to specify comma separated user names: user1, user2,..........,userN Note that it is just the user name and NOT the full DN of the user. If you are getting the "user doesn't exist' error, please check your ambari.properties for ldap configuration. It is most likely that the baseDN specified has the groups under it but not the users. Please correct the baseDN in that case. ... View more

Re: Running a Shell script on Hadoop cluster (WITH...

by Contributor in Support Questions
‎04-26-2017 01:45 AM
‎04-26-2017 01:45 AM
Yes, you can. SCP the file to any of the data nodes and then run your shell script to validate it. The file will be available in HDFS only when you use the "hadoop fs -put" command and put it into the HDFS. ... View more

Re: LDAP Group sync error

by Contributor in Support Questions
‎04-21-2017 11:48 PM
‎04-21-2017 11:48 PM
My suggestion was based on your ambari properties in which the baseDN is set to "OU=Users,OU=Enterprise,DC=hq,DC=group". Please remove the "OU" part from your baseDN as your users and groups are in different OUs (again, based on your ambari properties). ... View more

Re: LDAP Group sync error

by Contributor in Support Questions
‎04-21-2017 01:48 AM
‎04-21-2017 01:48 AM
Please set the baseDn to "DC=hq,DC=group" in your ambari.properties and give it a try. ... View more

Re: LDAP Group sync error

by Contributor in Support Questions
‎04-19-2017 10:44 PM
‎04-19-2017 10:44 PM
The value for the property "authentication.ldap.groupNamingAttr" in your config does not look right. I have the below config and it works fine for me: authentication.ldap.groupNamingAttr=cn ... View more

Re: How to create table in hive using source table...

by Contributor in Support Questions
‎04-19-2017 10:20 PM
‎04-19-2017 10:20 PM
This may help you : https://community.hortonworks.com/questions/36464/how-to-use-nifi-to-incrementally-ingest-data-from.html ... View more

Re: Ambari URL login Access failed

by Contributor in Support Questions
‎04-19-2017 10:17 PM
‎04-19-2017 10:17 PM
Try logging in to ambari web UI using the same credentials (admin/<passwd>) and see if you are able to login. If not, then definitely the password is wrong. ... View more

Re: LDAP Group sync error

by Contributor in Support Questions
‎04-19-2017 02:22 AM
‎04-19-2017 02:22 AM
If you are trying to sync just a single group, make sure there are no spaces at the end of the group name in groups.txt ... View more

Re: Not able to login to Ranger as AD user, howeve...

by Contributor in Support Questions
‎04-06-2017 10:50 PM
‎04-06-2017 10:50 PM
@rguruvannagari I changed all the 'info' and 'warn' values under 'Advanced admin-log4j' to 'debug' (not just the root logger). Only then I started seeing detailed exceptions. After I pointed ranger admin to the right truststore file, I had not updated the password. The debug enabled logs clearly showed that the trust store password was wrong. I updated the correct password and now I am able to login as AD user. Thanks a lot ! Regards, Ekantheshwara Basappa ... View more

Re: Not able to login to Ranger as AD user, howeve...

by Contributor in Support Questions
‎04-06-2017 07:09 AM
‎04-06-2017 07:09 AM
@rguruvannagari Thanks for responding to my question. You are right. The usersync config was pointing to the right trust store file while ranger admin was pointing to a wrong one. I pointed ranger admin to the right one. And I set the User Search Filter with the value sAMAccountName={0}. However, I continue to get the same error. Also, when I set the root Logger to debug mode(under Advanced admin-log4j), the generated logs are not very helpful. This is what I get: 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:346) - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:347) - Updated SecurityContextHolder to contain null Authentication 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:348) - Delegating to authentication failure handler org.apache.ranger.security.web.authentication.RangerAuthFailureHandler@22c447dd 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:74) - commence() X-Requested-With=XMLHttpRequest 2017-04-03 09:29:58,714 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:114) - Sending login failed response : {"statusCode":401,"msgDesc":"The username or password you entered is incorrect.."} How do I get the detailed log so that I know what exactly is the problem ? Regards, Ekanth ... View more

Re: How to create custom visualization using zeppe...

by Contributor in Support Questions
‎04-06-2017 04:31 AM
‎04-06-2017 04:31 AM
@Rockie Yang I followed the instructions mentioned in: https://github.com/knockdata/spark-highcharts/blob/master/docs/UseInZeppelin.md I get the below exception in Zeppelin log file: INFO [2017-04-06 14:20:13,957] ({qtp1577213552-14} AuthorizingRealm.java[getAuthorizationCacheLazy]:248) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained. INFO [2017-04-06 14:20:14,354] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:126) - Update interpreterSetting 2C8335TJY ERROR [2017-04-06 14:20:14,385] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:136) - Exception in InterpreterRestApi while updateSetting org.apache.zeppelin.interpreter.InterpreterException: org.apache.thrift.transport.TTransportException at org.apache.zeppelin.interpreter.remote.RemoteInterpreter.cancel(RemoteInterpreter.java:329) at org.apache.zeppelin.interpreter.LazyOpenInterpreter.cancel(LazyOpenInterpreter.java:100) at org.apache.zeppelin.notebook.Paragraph.jobAbort(Paragraph.java:332) at org.apache.zeppelin.scheduler.Job.abort(Job.java:239) at org.apache.zeppelin.interpreter.InterpreterFactory.stopJobAllInterpreter(InterpreterFactory.java:829) at org.apache.zeppelin.interpreter.InterpreterFactory.setPropertyAndRestart(InterpreterFactory.java:790) at org.apache.zeppelin.rest.InterpreterRestApi.updateSetting(InterpreterRestApi.java:131) at ......................... Any suggestions to resolve this ? Thanks, Ekantheshwara ... View more

Re: Not able to login to Ranger as AD user, howeve...

by Contributor in Support Questions
‎04-05-2017 10:52 PM
‎04-05-2017 10:52 PM
@santosh nukala @Avijeet Dash @spolavarapu @Sagar Shimpi Any ideas ? ... View more

Not able to login to Ranger as AD user, however, U...

by Contributor in Support Questions
‎04-04-2017 02:54 AM
‎04-04-2017 02:54 AM
I am using AD authentication for Ranger in HDP 2.5.0. The UserSync works fine and I am able to see the AD Users and Groups in Ranger. However, I am not able to login as an AD User. The UI says "The username or password you entered is incorrect". The log says: 2017-03-31 12:20:22,008 [http-bio-6080-exec-4] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:d786090 | Ip Address:10.60.179.195 | Bad Credentials I have tried the suggestions mentioned in the below URLs: https://community.hortonworks.com/questions/27382/can-not-login-to-ranger-using-ldap-or-ad-user-afte.html and https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html As mentioned in the above URLs, I have tried the below mentioned values for the "User Search Filter": (uid=*) sAMAccountName={0} space But that did not help. Can anyone help ? Please note I am using "ldaps" i.e. my AD URL is of the format "ldaps://<AD Host>:636" Thanks, Ekantheshwara ... View more
Labels:

Re: how to migrate Hive data over to new cluster?

by Contributor in Support Questions
‎02-21-2017 05:09 AM
‎02-21-2017 05:09 AM
Does this include View DDLs? ... View more
Contact Me
Online
Offline
Last Visited
‎02-14-2019 04:44 AM
Public Statistics
Date Registered ‎02-21-2017 05:07 AM
Last Visited ‎02-14-2019 04:44 AM
Total Messages Posted 25
Total Kudos Received 4