Cloudera Community
ekanthb
user rank
Rising Star
My Accepted Solutions
Show All

How to configure groups and roles mapping using ld...

by Rising Star in Support Questions
‎06-27-2017 03:07 AM
1 Kudo
‎06-27-2017 03:07 AM
1 Kudo
I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated. ... View more
Labels:

Re: Zeppelin notebook permissions not effective

by Rising Star in Support Questions
‎05-14-2017 10:45 PM
‎05-14-2017 10:45 PM
The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config. ... View more

Re: Zeppelin notebook permissions not effective

by Rising Star in Support Questions
‎05-02-2017 03:33 AM
‎05-02-2017 03:33 AM
@Kshitij Badani Thanks Kshitij for your response. I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1. Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group. Do you have any suggestion for me to trouble shoot this ? ... View more

Zeppelin notebook permissions not effective

by Rising Star in Support Questions
‎05-01-2017 12:17 AM
‎05-01-2017 12:17 AM
I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks. I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner. When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user. Below mentioned is my Shiro configuration: [users] admin = password1 [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = user1 activeDirectoryRealm.systemPassword = pwd #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636 activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realms = $activeDirectoryRealm [roles] admin = * [urls] /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon /** = authc I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook: DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true]) DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1 DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2 DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << [] INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN] DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>} However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs: DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin] The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version. Please see the defect URL here: https://github.com/apache/zeppelin/pull/986 Any help is appreciated. ... View more
Labels:

Re: Not able to login to Ranger as AD user, howeve...

by Rising Star in Support Questions
‎04-06-2017 10:50 PM
‎04-06-2017 10:50 PM
@rguruvannagari I changed all the 'info' and 'warn' values under 'Advanced admin-log4j' to 'debug' (not just the root logger). Only then I started seeing detailed exceptions. After I pointed ranger admin to the right truststore file, I had not updated the password. The debug enabled logs clearly showed that the trust store password was wrong. I updated the correct password and now I am able to login as AD user. Thanks a lot ! Regards, Ekantheshwara Basappa ... View more

Re: Not able to login to Ranger as AD user, howeve...

by Rising Star in Support Questions
‎04-06-2017 07:09 AM
‎04-06-2017 07:09 AM
@rguruvannagari Thanks for responding to my question. You are right. The usersync config was pointing to the right trust store file while ranger admin was pointing to a wrong one. I pointed ranger admin to the right one. And I set the User Search Filter with the value sAMAccountName={0}. However, I continue to get the same error. Also, when I set the root Logger to debug mode(under Advanced admin-log4j), the generated logs are not very helpful. This is what I get: 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:346) - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:347) - Updated SecurityContextHolder to contain null Authentication 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:348) - Delegating to authentication failure handler org.apache.ranger.security.web.authentication.RangerAuthFailureHandler@22c447dd 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:74) - commence() X-Requested-With=XMLHttpRequest 2017-04-03 09:29:58,714 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:114) - Sending login failed response : {"statusCode":401,"msgDesc":"The username or password you entered is incorrect.."} How do I get the detailed log so that I know what exactly is the problem ? Regards, Ekanth ... View more

Re: How to create custom visualization using zeppe...

by Rising Star in Support Questions
‎04-06-2017 04:31 AM
‎04-06-2017 04:31 AM
@Rockie Yang I followed the instructions mentioned in: https://github.com/knockdata/spark-highcharts/blob/master/docs/UseInZeppelin.md I get the below exception in Zeppelin log file: INFO [2017-04-06 14:20:13,957] ({qtp1577213552-14} AuthorizingRealm.java[getAuthorizationCacheLazy]:248) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained. INFO [2017-04-06 14:20:14,354] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:126) - Update interpreterSetting 2C8335TJY ERROR [2017-04-06 14:20:14,385] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:136) - Exception in InterpreterRestApi while updateSetting org.apache.zeppelin.interpreter.InterpreterException: org.apache.thrift.transport.TTransportException at org.apache.zeppelin.interpreter.remote.RemoteInterpreter.cancel(RemoteInterpreter.java:329) at org.apache.zeppelin.interpreter.LazyOpenInterpreter.cancel(LazyOpenInterpreter.java:100) at org.apache.zeppelin.notebook.Paragraph.jobAbort(Paragraph.java:332) at org.apache.zeppelin.scheduler.Job.abort(Job.java:239) at org.apache.zeppelin.interpreter.InterpreterFactory.stopJobAllInterpreter(InterpreterFactory.java:829) at org.apache.zeppelin.interpreter.InterpreterFactory.setPropertyAndRestart(InterpreterFactory.java:790) at org.apache.zeppelin.rest.InterpreterRestApi.updateSetting(InterpreterRestApi.java:131) at ......................... Any suggestions to resolve this ? Thanks, Ekantheshwara ... View more

Re: Not able to login to Ranger as AD user, howeve...

by Rising Star in Support Questions
‎04-05-2017 10:52 PM
‎04-05-2017 10:52 PM
@santosh nukala @Avijeet Dash @spolavarapu @Sagar Shimpi Any ideas ? ... View more

Not able to login to Ranger as AD user, however, U...

by Rising Star in Support Questions
‎04-04-2017 02:54 AM
‎04-04-2017 02:54 AM
I am using AD authentication for Ranger in HDP 2.5.0. The UserSync works fine and I am able to see the AD Users and Groups in Ranger. However, I am not able to login as an AD User. The UI says "The username or password you entered is incorrect". The log says: 2017-03-31 12:20:22,008 [http-bio-6080-exec-4] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:d786090 | Ip Address:10.60.179.195 | Bad Credentials I have tried the suggestions mentioned in the below URLs: https://community.hortonworks.com/questions/27382/can-not-login-to-ranger-using-ldap-or-ad-user-afte.html and https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html As mentioned in the above URLs, I have tried the below mentioned values for the "User Search Filter": (uid=*) sAMAccountName={0} space But that did not help. Can anyone help ? Please note I am using "ldaps" i.e. my AD URL is of the format "ldaps://<AD Host>:636" Thanks, Ekantheshwara ... View more
Labels:

Re: how to migrate Hive data over to new cluster?

by Rising Star in Support Questions
‎02-21-2017 05:09 AM
‎02-21-2017 05:09 AM
Does this include View DDLs? ... View more
Contact Me
Online
Offline
Last Visited
‎02-14-2019 04:44 AM
Community Statistics
Member Since ‎02-21-2017 05:07 AM
Last Visited ‎02-14-2019 04:44 AM
Posts 25
Kudos received 4