Cloudera Community

Announcements
Welcome to the upgraded Community! Read this blog to see What’s New!
ekanthb
user rank
Contributor
My Accepted Solutions
Show All

How to configure groups and roles mapping using ld...

by Contributor in Support Questions
‎06-27-2017 03:07 AM
1 Kudo
‎06-27-2017 03:07 AM
1 Kudo
I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated. ... View more
Labels:

Re: Zeppelin notebook permissions not effective

by Contributor in Support Questions
‎05-14-2017 10:45 PM
‎05-14-2017 10:45 PM
The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config. ... View more

Re: Zeppelin notebook permissions not effective

by Contributor in Support Questions
‎05-02-2017 03:33 AM
‎05-02-2017 03:33 AM
@Kshitij Badani Thanks Kshitij for your response. I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1. Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group. Do you have any suggestion for me to trouble shoot this ? ... View more

Zeppelin notebook permissions not effective

by Contributor in Support Questions
‎05-01-2017 12:17 AM
‎05-01-2017 12:17 AM
I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks. I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner. When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user. Below mentioned is my Shiro configuration: [users] admin = password1 [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = user1 activeDirectoryRealm.systemPassword = pwd #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636 activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realms = $activeDirectoryRealm [roles] admin = * [urls] /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon /** = authc I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook: DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true]) DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1 DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2 DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << [] INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN] DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>} However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs: DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin] The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version. Please see the defect URL here: https://github.com/apache/zeppelin/pull/986 Any help is appreciated. ... View more
Labels:

Re: Not able to login to Ranger as AD user, howeve...

by Contributor in Support Questions
‎04-06-2017 10:50 PM
‎04-06-2017 10:50 PM
@rguruvannagari I changed all the 'info' and 'warn' values under 'Advanced admin-log4j' to 'debug' (not just the root logger). Only then I started seeing detailed exceptions. After I pointed ranger admin to the right truststore file, I had not updated the password. The debug enabled logs clearly showed that the trust store password was wrong. I updated the correct password and now I am able to login as AD user. Thanks a lot ! Regards, Ekantheshwara Basappa ... View more

Re: Not able to login to Ranger as AD user, howeve...

by Contributor in Support Questions
‎04-06-2017 07:09 AM
‎04-06-2017 07:09 AM
@rguruvannagari Thanks for responding to my question. You are right. The usersync config was pointing to the right trust store file while ranger admin was pointing to a wrong one. I pointed ranger admin to the right one. And I set the User Search Filter with the value sAMAccountName={0}. However, I continue to get the same error. Also, when I set the root Logger to debug mode(under Advanced admin-log4j), the generated logs are not very helpful. This is what I get: 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:346) - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:347) - Updated SecurityContextHolder to contain null Authentication 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:348) - Delegating to authentication failure handler org.apache.ranger.security.web.authentication.RangerAuthFailureHandler@22c447dd 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:74) - commence() X-Requested-With=XMLHttpRequest 2017-04-03 09:29:58,714 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:114) - Sending login failed response : {"statusCode":401,"msgDesc":"The username or password you entered is incorrect.."} How do I get the detailed log so that I know what exactly is the problem ? Regards, Ekanth ... View more

Re: How to create custom visualization using zeppe...

by Contributor in Support Questions
‎04-06-2017 04:31 AM
‎04-06-2017 04:31 AM
@Rockie Yang I followed the instructions mentioned in: https://github.com/knockdata/spark-highcharts/blob/master/docs/UseInZeppelin.md I get the below exception in Zeppelin log file: INFO [2017-04-06 14:20:13,957] ({qtp1577213552-14} AuthorizingRealm.java[getAuthorizationCacheLazy]:248) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained. INFO [2017-04-06 14:20:14,354] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:126) - Update interpreterSetting 2C8335TJY ERROR [2017-04-06 14:20:14,385] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:136) - Exception in InterpreterRestApi while updateSetting org.apache.zeppelin.interpreter.InterpreterException: org.apache.thrift.transport.TTransportException at org.apache.zeppelin.interpreter.remote.RemoteInterpreter.cancel(RemoteInterpreter.java:329) at org.apache.zeppelin.interpreter.LazyOpenInterpreter.cancel(LazyOpenInterpreter.java:100) at org.apache.zeppelin.notebook.Paragraph.jobAbort(Paragraph.java:332) at org.apache.zeppelin.scheduler.Job.abort(Job.java:239) at org.apache.zeppelin.interpreter.InterpreterFactory.stopJobAllInterpreter(InterpreterFactory.java:829) at org.apache.zeppelin.interpreter.InterpreterFactory.setPropertyAndRestart(InterpreterFactory.java:790) at org.apache.zeppelin.rest.InterpreterRestApi.updateSetting(InterpreterRestApi.java:131) at ......................... Any suggestions to resolve this ? Thanks, Ekantheshwara ... View more

Re: Not able to login to Ranger as AD user, howeve...

by Contributor in Support Questions
‎04-05-2017 10:52 PM
‎04-05-2017 10:52 PM
@santosh nukala @Avijeet Dash @spolavarapu @Sagar Shimpi Any ideas ? ... View more

Not able to login to Ranger as AD user, however, U...

by Contributor in Support Questions
‎04-04-2017 02:54 AM
‎04-04-2017 02:54 AM
I am using AD authentication for Ranger in HDP 2.5.0. The UserSync works fine and I am able to see the AD Users and Groups in Ranger. However, I am not able to login as an AD User. The UI says "The username or password you entered is incorrect". The log says: 2017-03-31 12:20:22,008 [http-bio-6080-exec-4] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:d786090 | Ip Address:10.60.179.195 | Bad Credentials I have tried the suggestions mentioned in the below URLs: https://community.hortonworks.com/questions/27382/can-not-login-to-ranger-using-ldap-or-ad-user-afte.html and https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html As mentioned in the above URLs, I have tried the below mentioned values for the "User Search Filter": (uid=*) sAMAccountName={0} space But that did not help. Can anyone help ? Please note I am using "ldaps" i.e. my AD URL is of the format "ldaps://<AD Host>:636" Thanks, Ekantheshwara ... View more
Labels:

Re: how to migrate Hive data over to new cluster?

by Contributor in Support Questions
‎02-21-2017 05:09 AM
‎02-21-2017 05:09 AM
Does this include View DDLs? ... View more
Contact Me
Online
Offline
Last Visited
‎02-14-2019 04:44 AM
Community Statistics
Member Since ‎02-21-2017 05:07 AM
Last Visited ‎02-14-2019 04:44 AM
Posts 25
Kudos received 4