If anyone will search, then the error "org.apache.zeppelin.livy.LivyException: {"msg":"User 'zeppelin-goa_datalake_1' not allowed to impersonate 'Some(sameer.dalai)'."} org.springframework.web.client.HttpClientErrorException: 403 Forbidden" Caused by livy settings. Here is how to change it https://community.cloudera.com/t5/Community-Articles/How-to-configure-zeppelin-livy-interpreter-for-secure-HDP/ta-p/249267 ... View more

@GangWar    This is still a problem in CDP 7.1.8 where there is no possibility of turning off the "Auto-TLS is Enabled" satus in Admin --> Security. Has anyone found the solution? I've now combed through UI settings, db and local files for anything to do with TLS and removed most if it.   I know its turned off but as long as CDP thinks that Auto-TLS is ON I can't run the Auto-TLS setup Wizzard. ... View more

It works for me ... View more

How would you check logs related to ldap , In mine all docker-container like superset_app , superset-worker showing no error, but i can't be able to log from normal user either or ldap one My configured things from flask_appbuilder.security.manager import AUTH_LDAP AUTH_TYPE = AUTH_LDAP AUTH_USER_REGISTRATION = True AUTH_LDAP_SERVER = "ldap://localhost:389" # AUTH_LDAP_SEARCH="ou=people,dc=superset,dc=com" AUTH_LDAP_SEARCH= "cn=admin,dc=ramhlocal,dc=com" # AUTH_LDAP_APPEND_DOMAIN = "XXX.com" AUTH_LDAP_UID_FIELD="cn" AUTH_LDAP_FIRSTNAME_FIELD= "Rohit" AUTH_LDAP_LASTTNAME_FIELD= "sn" AUTH_LDAP_USE_TLS = False # AUTH_LDAP_UID_FIELD=sAMAccountName # AUTH_LDAP_BIND_USER=CN=Bind,OU=Admin,dc=our,dc=domain AUTH_LDAP_ALLOW_SELF_SIGNED= True AUTH_LDAP_APPEND_DOMAIN= False ... View more

As a general statement this is not right by any means. LDAP provides secure and encrypted authentication (encrypted user password and SSL/TLS communication) , together with user/group management. It's only the Hadoop stack does not support this and the two only autentication methods implemented for all the CDP components are the dummy simple auth (described above) and the Kerberos authentication (used in combination with PAM or LDAP for user/group mappings). As an example, nothing less than Knox (the security gateway to HDP or CDP) implements full authenticacion using only LDAP (with TLS), and it only relies on Kerberos to authenticate a single service/proxy user to communicate with the rest of the cluster. ... View more

@vidanimegh ,i have changed referral to follow but still users not sync to Ranger also not able to find any error in the usersync.log. Please find below config parameters and request you to pleases suggest if anything needs to be correct.    ldapUrl: ldaps://ad.HWX.COM:636, ldapBindDn: CN=user1,OU=bda,DC=HWX,DC=COM, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=hadoop,dc=apache,dc=org, userSearchBase: [OU=bda,DC=HWX,DC=COM], userSearchScope: 2, userObjectClass: user, userSearchFilter: ((memberof=OU=bda,DC=HWX,DC=COM)(memberof=CN=hdpadmin,OU=bda,DC=HWX,DC=COM)), extendedUserSearchFilter: (&(objectclass=user)((memberof=OU=bda,DC=HWX,DC=COM)(memberof=CN=hdpadmin,OU=bda,DC=HWX,DC=COM))), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [DC=HWX,DC=COM], groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: *, extendedGroupSearchFilter: (&(objectclass=group)(*)(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: (&(objectclass=group)(*)), groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [member, cn], groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: follow  ... View more

I was just able to confirm that the update command listed is Postgresql database flavor. ... View more

The following map rule is wrong:   RULE:[2:\$1@\$0](rm@MY_REALM)s/.*/rm/   the user for the ResourceManager is not "rm" but "yarn" and this should be the replacement value. This is the same as for the hadoop.security.auth_to_local in Hadoop/HDFS configuration. ... View more

To give some extra information (in case somebody guess about it) I have also tested adding the -b and -c options to curl, in order to use the received cookies in subsequent calls. Something like this: curl -i -k -u "admin:*****" -b cookies.txt -c cookies.txt --config headers-post.conf ... and the options included in headers-post.conf are: -X POST -H "X-Requested-By:admin" -H "Content-Type: application/json" -H "X-XSRF-HEADER:valid" But the problem is the same and I still receive "HTTP/1.1 403 Forbidden" when trying to execute any statement with LIvy over the session.   Best regards   ... View more

If you use the $ZK_HOST defined in infra-solr-env.sh you should not need to include the /infra-solr prefix when getting the solrconfig.xml: source /etc/ambari-infra-solr/conf/infra-solr-env.sh /usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -z $ZK_HOST \ -cmd getfile /configs/ranger_audits/solrconfig.xml solrconfig.xml    The same applies when uploading the edited config. ... View more