Member since
05-17-2019
4
Posts
0
Kudos Received
0
Solutions
06-08-2019
04:25 AM
Hi @Geoffrey Shelton Okot - Thanks; however, I am unable to locate the reference you have mentioned, can you re-post the reference?
... View more
06-07-2019
05:03 PM
Hi All, We want to spread our Hadoop cluster across multiple availability zones in the same AWS region as Active master nodes with all services and part of the data nodes in AZ1 Standby (secondary) master nodes with all services and rest of the data nodes in AZ2 At the same time, we want to implement rack awareness for this setup Can you advise on the following? If we want to use 2 Racks in the same AZ, how do we implement in AWS? Some of the forums are suggesting to define "partition placement groups" to simulate rack - what would be the recommendation? What will be network latency and cost involved in multi-AZ setup? Assuming AZ1 is down - can we expect to retrieve 100% of the cluster data from AZ2 alone assuming we have separate racks in AZ1 and AZ2?
... View more
05-21-2019
01:45 PM
Hi All, Thanks, we have resolved the issue. This link has been useful to understand LdapRealm attributes. Updated configuration: [users]
admin = admin, admin
[main]
ldapRealm = org.apache.zeppelin.realm.LdapRealm
#ldapRealm.userDnTemplate = CN={0},OU=***,OU=***,ou=***,dc=***,dc=***
ldapRealm.userSearchBase=OU=***,ou=***,dc=***,dc=***
ldapRealm.userSearchFilter=(&(objectclass=person)(uid={0})(|(memberOf=CN=***,OU=***,OU=Groups,ou=***,dc=***,dc=***)(memberOf=CN=***,OU=***,OU=Groups,ou=***,dc=***,dc=***)(memberOf=CN=***,OU=***,OU=Groups,ou=***,dc=***,dc=***)))
ldapRealm.contextFactory.url = ldaps://***:636
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = ***
ldapRealm.contextFactory.systemPassword = ***
#anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
admin = *
[urls]
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc
... View more
05-17-2019
05:38 PM
Hi All, The current configuration for Zeppelin LDAP is working with HDP stack version 2.6.3 and Zeppelin version 0.7.3 [users]
admin = ****, admin
[main]
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.userDnTemplate = CN={0},OU=standard,OU=Users,ou=**,dc=**,dc=**
ldapRealm.contextFactory.url = ldaps://*****.****.****.****.***:***
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
ldapRealm.contextFactory.systemUsername = *****
ldapRealm.contextFactory.systemPassword = ****
ldapRealm.rolesByGroup = "***":***
#anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
admin = *
[urls]
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc Now, due to some reason, we are going to capture "uid" for user login instead of "CN" and hence we cannot use "userDnTemplate" as it configured with "CN" in our LDAP severs. As per link, we can define userSearch attributes which is supposed to ignore "userDnTemplate". However, it is not working and we are encountering error as: DEBUG [2019-05-17 11:28:55,438] ({qtp64830413-18 - /api/login} JndiLdapRealm.java[queryForAuthenticationInfo]:369) - Authenticating user '****' through LDAP
DEBUG [2019-05-17 11:28:55,438] ({qtp64830413-18 - /api/login} JndiLdapContextFactory.java[getLdapContext]:488) - Initializing LDAP context using URL [ldaps://*****.****.****.****.***:***] and principal [****] with pooling enabled
DEBUG [2019-05-17 11:28:55,575] ({qtp64830413-18 - /api/login} ModularRealmAuthenticator.java[doMultiRealmAuthentication]:224) - Realm [org.apache.zeppelin.realm.LdapRealm@81eaf95] threw an
exception during a multi-realm authentication attempt:
java.lang.IllegalArgumentException: Illegal principal name: ******
at org.apache.zeppelin.realm.LdapRealm.getUserDn(LdapRealm.java:921)
at org.apache.shiro.realm.ldap.JndiLdapRealm.getLdapPrincipal(JndiLdapRealm.java:342)
at org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:371)
at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:228)
at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:207)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:80)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:205)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:102) The new configuration we are trying: [users]
admin = ***, admin
[main]
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.userDnTemplate = CN={0},OU=standard,OU=Users,ou=**,dc=**,dc=**
ldapRealm.contextFactory.url = ldaps://*****.****.****.****.***:***
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
ldapRealm.contextFactory.systemUsername = ****
ldapRealm.contextFactory.systemPassword = ****
ldapRealm.searchBase = ou=****,dc=***,dc=****
ldapRealm.userSearchBase = OU=Users,ou=***,dc=***,dc=***
ldapRealm.groupSearchBase = OU=Managed,OU=Groups,ou=***,dc=***,dc=***
ldapRealm.groupObjectClass = group
# Allow userSearchAttribute to be customized
ldapRealm.userSearchAttributeName = uid
ldapRealm.memberAttribute = member
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.rolesByGroup = "***":***
#anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
admin = *
[urls]
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc Kindly advise if we are missing something in the configuration.
... View more
Labels: