You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by "Nikolay (Jira)" <ji...@apache.org> on 2020/03/11 08:27:00 UTC

[jira] [Created] (ZEPPELIN-4677) Zeppelin auth using Okta

Nikolay created ZEPPELIN-4677:
---------------------------------

             Summary: Zeppelin auth using Okta
                 Key: ZEPPELIN-4677
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4677
             Project: Zeppelin
          Issue Type: Bug
    Affects Versions: 0.8.2
            Reporter: Nikolay


{color:#1d1c1d}I'm trying to set up Zeppelin 0.8.2 authentication via Okta using Knox 1.3.0.{color}
{color:#1d1c1d}After Zeppelin started I got error in logs:
{color}
{code:java}
ERROR [2020-03-10 11:08:59,437] ({main} KnoxJwtRealm.java[onInit]:88) - PrincipalMappingException in onInit
org.apache.zeppelin.realm.jwt.PrincipalMappingException: Unable to load mappings from provided string: principal.mapping - no principal mapping will be provided.
 at org.apache.zeppelin.realm.jwt.SimplePrincipalMapper.parseMapping(SimplePrincipalMapper.java:73)Caused by: java.lang.StringIndexOutOfBoundsException: String index out of range: -1
 at java.lang.String.substring(String.java:1967)
 at org.apache.zeppelin.realm.jwt.SimplePrincipalMapper.parseMapping(SimplePrincipalMapper.java:59){code}
{color:#1d1c1d}

{color}{color:#1d1c1d}Knox redirect to Okta works well, after that Okta redirects me to Zeppelin UI.{color}
{color:#1d1c1d}In Zeppelin UI I see my login in top right corner. I can import notebooks but I can't access any notebook.
Zeppelin logs
{color}
{code:java}
 INFO [2020-03-10 14:59:51,495] ({main} ZeppelinServer.java[main]:249) - Done, zeppelin server started
 INFO [2020-03-10 15:02:18,317] ({qtp1728790703-19} Groups.java[refresh]:256) - clearing userToGroupsMap cache
 INFO [2020-03-10 15:02:18,393] ({qtp1728790703-19} Groups.java[refresh]:256) - clearing userToGroupsMap cache
 INFO [2020-03-10 15:02:19,318] ({qtp1728790703-17} NotebookServer.java[onOpen]:151) - New connection from 192.168.1.1 : 60894
 INFO [2020-03-10 15:02:19,539] ({qtp1728790703-16} Groups.java[refresh]:256) - clearing userToGroupsMap cache
 INFO [2020-03-10 15:02:19,547] ({qtp1728790703-16} Groups.java[refresh]:256) - clearing userToGroupsMap cache
 INFO [2020-03-10 15:03:59,705] ({qtp1728790703-61} Groups.java[refresh]:256) - clearing userToGroupsMap cache
 INFO [2020-03-10 15:03:59,738] ({qtp1728790703-61} Groups.java[refresh]:256) - clearing userToGroupsMap cache

{code}
{color:#1d1c1d}{color}
{color:#1d1c1d}Role list in Zeppelin UI configuration menu empty:{color}{color:#1d1c1d}roles []{color}{color:#1d1c1d}Is Zeppelin integration with Okta functional?
{color}{color:#1d1c1d}Zeppelin shiro.ini
{color}
{code:java}
[main]
knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://zeppelin.domain.tld:8443/
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /opt/knox/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFiltershiro.loginUrl = /api/login
[roles]
admin = *
[urls]
/** = authc{code}
{color:#1d1c1d}
{color}{color:#1d1c1d}My Knox sandbox.yml
{color}
{code:java}
<?xml version="1.0"?>
<topology>
 <gateway>
 <provider>
 <role>webappsec</role>
 <name>WebAppSec</name>
 <enabled>true</enabled>
 <param>
 <name>cors.enabled</name>
 <value>true</value>
 </param>
 </provider>
 <provider>
 <role>federation</role>
 <name>SSOCookieProvider</name>
 <enabled>true</enabled>
 <param>
 <name>sso.authentication.provider.url</name>
 <value>https://zeppelin.domain.tld:8443/gateway/knoxsso/api/v1/websso</value>
 </param>
 </provider>
 <provider>
 <role>identity-assertion</role>
 <name>HadoopGroupProvider</name>
 <enabled>true</enabled>
 <param>
 <name>hadoop.security.group.mapping</name>
 <value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
 </param>
 </provider>
 </gateway>
 <service>
 <role>ZEPPELIN</role>
 <url>http://zeppelin.domain.tld:8080</url>
 </service> <service>
 <role>ZEPPELINUI</role>
 <url>http://zeppelin.domain.tld:8080</url>
 </service>
 <service>
 <role>ZEPPELINWS</role>
 <url>ws://zeppelin.domain.tld:8080/ws</url>
 </service>
</topology>{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)