Member since
02-21-2017
25
Posts
4
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2932 | 05-14-2017 10:45 PM |
06-27-2017
03:07 AM
1 Kudo
I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated.
... View more
Labels:
- Labels:
-
Apache Zeppelin
05-14-2017
10:45 PM
The issue got resolved. I had to take out the line "securityManager.realms = $activeDirectoryRealm" from my config and that resolved the issue. I dont see anything wrong in the line I took out. However, I believe this is an optional config.
... View more
05-02-2017
03:33 AM
@Kshitij Badani Thanks Kshitij for your response. I tried it but the result is same. To be precise, the permissions on the Notebooks work fine when I use the AD User. However, it doesnt work when I use a AD group. For example, if I configure user1 to be the 'reader' of the notebook note1, user1 can read the note1. When I configure group1 to be the 'reader' of the note1, then user1, who is a member of group1 is NOT able to read the note1. Even while setting up the note permissions, I can look up the AD User in the search text box but NOT the AD group. Do you have any suggestion for me to trouble shoot this ?
... View more
05-01-2017
12:17 AM
I have integrated Zeppelin with AD. The authentication works fine. However, the authorization works partially. i.e. the authorisation is effective on "interpreter" and "configurations" URLS but not effective on Notebooks.
I have a user User1 who is a member of AD_Group1 which is associated with the "admin" role in Shiro. I have a dashboard for which I have configured AD_Group1 as reader, writer and owner.
When I login as User1 and try to access the dashboard, I am getting the message "But the user User1 belongs to: [User1]". Clearly, Zeppelin is not aware of the group membership of the user.
Below mentioned is my Shiro configuration: [users] admin = password1 [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = user1 activeDirectoryRealm.systemPassword = pwd #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://user/zeppelin/zeppelin.jceks activeDirectoryRealm.searchBase = DC=testcore,DC=test,DC=dir,DC=org,DC=com activeDirectoryRealm.url = ldaps://testcore.test.dir.org.com:636 activeDirectoryRealm.groupRolesMap = "CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @testcore.test.dir.org.com sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realms = $activeDirectoryRealm
[roles] admin = * [urls] /api/version = anon /api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] #/** = anon
/** = authc
I dont see a call made to AD to check the group membership when a Notebook is accessed. These are the logs that I see when I access the Notebook: DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} AbstractEventDriver.java[incomingFrame]:103) - incomingFrame(TEXT[len=126,fin=true,rsv=...,masked=true])
DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:106) - RECEIVE << GET_NOTE
DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:107) - RECEIVE PRINCIPAL << user1 DEBUG [2017-04-11 10:34:39,042] ({qtp1170794006-15} NotebookServer.java[onMessage]:108) - RECEIVE TICKET << b2512330-0a0f-4631-9913-c688d1c9d7f2 DEBUG [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[onMessage]:109) - RECEIVE ROLES << []
INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[sendNote]:423) - New operation from 10.60.179.195 : 49895 : user1 : GET_NOTE : 2CC4Z4DEX INFO [2017-04-11 10:34:39,043] ({qtp1170794006-15} NotebookServer.java[permissionError]:411) - Cannot read. Connection readers [user1]. Allowed readers [APPADMIN]
DEBUG [2017-04-11 10:34:39,044] ({qtp1170794006-15} WebSocketRemoteEndpoint.java[sendString]:385) - sendString with HeapByteBuffer@669d45b[p=0,l=235,c=235,r=235]={<<<{"op":"AUTH_INFO"...us","roles":""}>>>} However, when I access the "interpreter" or "configurations" url, I get the below logs which explain why the config is effective for URLs: DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForUser]:286) - Groups found for user [user1]: [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] DEBUG [2017-04-11 10:38:58,087] ({qtp1170794006-16 - /api/interpreter/setting} ActiveDirectoryGroupRealm.java[getRoleNamesForGroups]:316) - User is member of group [CN=APPADMIN,OU=Managed,OU=Groups,DC=testcore,DC=test,DC=dir,DC=org,DC=com] so adding role [admin]
The above issue was a known issue with Zeppelin and it is supposed to be fixed in my Zeppelin version.
Please see the defect URL here: https://github.com/apache/zeppelin/pull/986 Any help is appreciated.
... View more
Labels:
- Labels:
-
Apache Zeppelin
04-06-2017
10:50 PM
@rguruvannagari I changed all the 'info' and 'warn' values under 'Advanced admin-log4j' to 'debug' (not just the root logger). Only then I started seeing detailed exceptions. After I pointed ranger admin to the right truststore file, I had not updated the password. The debug enabled logs clearly showed that the trust store password was wrong. I updated the correct password and now I am able to login as AD user. Thanks a lot ! Regards, Ekantheshwara Basappa
... View more
04-06-2017
07:09 AM
@rguruvannagari Thanks for responding to my question. You are right. The usersync config was pointing to the right trust store file while ranger admin was pointing to a wrong one. I pointed ranger admin to the right one. And I set the User Search Filter with the value sAMAccountName={0}. However, I continue to get the same error. Also, when I set the root Logger to debug mode(under Advanced admin-log4j), the generated logs are not very helpful. This is what I get: 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:346) - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:347) - Updated SecurityContextHolder to contain null Authentication
2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:348) - Delegating to authentication failure handler org.apache.ranger.security.web.authentication.RangerAuthFailureHandler@22c447dd
2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:74) - commence() X-Requested-With=XMLHttpRequest
2017-04-03 09:29:58,714 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:114) - Sending login failed response : {"statusCode":401,"msgDesc":"The username or password you entered is incorrect.."}
How do I get the detailed log so that I know what exactly is the problem ? Regards,
Ekanth
... View more
04-06-2017
04:31 AM
@Rockie Yang I followed the instructions mentioned in: https://github.com/knockdata/spark-highcharts/blob/master/docs/UseInZeppelin.md I get the below exception in Zeppelin log file: INFO [2017-04-06 14:20:13,957] ({qtp1577213552-14} AuthorizingRealm.java[getAuthorizationCacheLazy]:248) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained.
INFO [2017-04-06 14:20:14,354] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:126) - Update interpreterSetting 2C8335TJY
ERROR [2017-04-06 14:20:14,385] ({qtp1577213552-14} InterpreterRestApi.java[updateSetting]:136) - Exception in InterpreterRestApi while updateSetting
org.apache.zeppelin.interpreter.InterpreterException: org.apache.thrift.transport.TTransportException
at org.apache.zeppelin.interpreter.remote.RemoteInterpreter.cancel(RemoteInterpreter.java:329)
at org.apache.zeppelin.interpreter.LazyOpenInterpreter.cancel(LazyOpenInterpreter.java:100)
at org.apache.zeppelin.notebook.Paragraph.jobAbort(Paragraph.java:332)
at org.apache.zeppelin.scheduler.Job.abort(Job.java:239)
at org.apache.zeppelin.interpreter.InterpreterFactory.stopJobAllInterpreter(InterpreterFactory.java:829)
at org.apache.zeppelin.interpreter.InterpreterFactory.setPropertyAndRestart(InterpreterFactory.java:790)
at org.apache.zeppelin.rest.InterpreterRestApi.updateSetting(InterpreterRestApi.java:131)
at ......................... Any suggestions to resolve this ? Thanks, Ekantheshwara
... View more
04-05-2017
10:52 PM
@santosh nukala @Avijeet Dash @spolavarapu @Sagar Shimpi Any ideas ?
... View more
04-04-2017
02:54 AM
I am using AD authentication for Ranger in HDP 2.5.0. The UserSync works fine and I am able to see the AD Users and Groups in Ranger.
However, I am not able to login as an AD User. The UI says "The username or password you entered is incorrect". The log says:
2017-03-31 12:20:22,008 [http-bio-6080-exec-4] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:d786090 | Ip Address:10.60.179.195 | Bad Credentials
I have tried the suggestions mentioned in the below URLs: https://community.hortonworks.com/questions/27382/can-not-login-to-ranger-using-ldap-or-ad-user-afte.html
and
https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html As mentioned in the above URLs, I have tried the below mentioned values for the "User Search Filter":
(uid=*) sAMAccountName={0} space
But that did not help. Can anyone help ? Please note I am using "ldaps" i.e. my AD URL is of the format "ldaps://<AD Host>:636"
Thanks, Ekantheshwara
... View more
Labels:
- Labels:
-
Apache Ranger
02-21-2017
05:09 AM
Does this include View DDLs?
... View more