You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Eyal Hashai <ey...@kenshoo.com> on 2018/10/29 10:21:06 UTC
LDAP cannot find\assign roles
Hello,
I've connected my Zeppelin server via LDAP for user authentication.
This works fine for auth, the problem is that I can't figure how roles are
attached to a user, I need to set "bigdata" group as admins,
Over the past week I have tried many different configurations and searched
online for a solution without success.
Does anyone have experience with this?
Any information or link would be highly appreciated!
Thank you
*shiro.ini:*
### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://1.2.3.4:389
ldapRealm.userDnTemplate = {0}@kenshooprd.local
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local"
ldapRealm.contextFactory.systemPassword = XXXXXXX
ldapRealm.authorizationEnabled = true
ldapRealm.rolesByGroup =
"CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
ldapRealm.rolesByGroup = bigdata: admin
ldapRealm.groupSearchBase =
"CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
securityManager.realms = $ldapRealm
ldapRealm.groupSearchEnableMatchingRuleInChain = true
*Logs:*
TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
/api/login]
TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
ThreadContext.java[get]:133) - Retrieved value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
bound to thread [qtp1418428263-15 - /api/login]
TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
DelegatingSubject.java[getSession]:317) - attempting to get session; create
= false; session is null = false; session has id = true
TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
retrieve session with key
org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
LoginRestApi.java[postLogin]:206) -
{"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
"roles":"[]"}}
DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
HttpConnection.java[process]:657) -
org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
200 OK,118,false},cb=org.eclipse.jetty
.server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
(null,[p=0,l=118,c=8192,r=118],true)@START
DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} Parser.java[parse]:257)
- SERVER Parsed Frame: TEXT[len=109,fin=true,rsv=...,masked=true]
DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
Parser.java[notifyFrame]:186) - SERVER Notify
ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
AbstractEventDriver.java[incomingFrame]:103) -
incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE DATA
<< null
TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
op=LIST_CONFIGURATIONS}
DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
"CONFIG... "roles": ""\n}>>>}
DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
ExtensionStack.java[outgoingFrame]:288) - Queuing
TEXT[len=6199,fin=true,rsv=...,masked=false]
*LDAP settings for user:*
[root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
ldap@kenshooprd.local -w xxxxx -b
"CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
objectClass: top
objectClass: group
cn: bigdata
member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
instanceType: 4
whenCreated: 20161129171457.0Z
whenChanged: 20181004121722.0Z
uSNCreated: 93111898
uSNChanged: 276782631
name: bigdata
objectGUID:: bBMye2mox0+hDkddqds1+g==
objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
sAMAccountName: bigdata
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
dSCorePropagationData: 20170723142935.0Z
dSCorePropagationData: 20170723142620.0Z
dSCorePropagationData: 16010101000417.0Z
--
*[ Eyal Hashai ]*
Database Administrator - Big Data Team // *Kenshoo*
*Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
<Ey...@Kenshoo.com>*
*Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
<Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
_______________________________________
*www.Kenshoo.com* <http://kenshoo.com/>
* <Ey...@Kenshoo.com>*
<http://kenshoo.com/>
--
This e-mail, as well as any attached document, may contain material which
is confidential and privileged and may include trademark, copyright and
other intellectual property rights that are proprietary to Kenshoo Ltd,
its subsidiaries or affiliates ("Kenshoo"). This e-mail and its attachments
may be read, copied and used only by the addressee for the purpose(s) for
which it was disclosed herein. If you have received it in error, please
destroy the message and any attachment, and contact us immediately. If you
are not the intended recipient, be aware that any review, reliance,
disclosure, copying, distribution or use of the contents of this message
without Kenshoo's express permission is strictly prohibited.
Re: LDAP cannot find\assign roles
Posted by Fawze Abujaber <fa...@gmail.com>.
You need to use one of them either users block or LDAP/AD.
On Wed, 31 Oct 2018 at 9:39 Eyal Hashai <ey...@kenshoo.com> wrote:
>
> When I try to allow both LDAP auth mechanism and uncomment [users] to add
> a specific user I get this except and zeppelin won't start:
>
>
> TRACE [2018-10-31 07:34:10,137] ({main} ThreadContext.java[get]:126) -
> get() - in thread [main]
> WARN [2018-10-31 07:34:10,138] ({main} ContextHandler.java[log]:2062) -
> unavailable
> MultiException stack 1 of 1
> java.lang.Exception: IniRealm/password based auth mechanisms should be
> exclusive. Consider removing [users] block from shiro.ini
> at
> org.apache.zeppelin.server.ZeppelinServer.<init>(ZeppelinServer.java:112)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at
> org.glassfish.hk2.utilities.reflection.ReflectionHelper.makeMe(ReflectionHelper.java:1375)
> at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1083)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
> at
> org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
> at
> org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
> at
> org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
> at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
> at
> org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
> at
> org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
> at
> org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
> at javax.servlet.GenericServlet.init(GenericServlet.java:244)
> at
> org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
> at
> org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
> at
> org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
> at
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
> at
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
> at
> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at org.eclipse.jetty.server.Server.start(Server.java:387)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at org.eclipse.jetty.server.Server.doStart(Server.java:354)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
> DEBUG [2018-10-31 07:34:10,139] ({main}
> ServletHandler.java[initialize]:875) - EXCEPTION
> javax.servlet.ServletException: rest@355bd4
> ==org.glassfish.jersey.servlet.ServletContainer,-1,false
> at
> org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:637)
> at
> org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
> at
> org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
> at
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
> at
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
> at
> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at org.eclipse.jetty.server.Server.start(Server.java:387)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at org.eclipse.jetty.server.Server.doStart(Server.java:354)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
> Caused by: A MultiException has 1 exceptions. They are:
> 1. java.lang.Exception: IniRealm/password based auth mechanisms should be
> exclusive. Consider removing [users] block from shiro.ini
>
> at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1085)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
> at
> org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
> at
> org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
> at
> org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
> at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
> at
> org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
> at
> org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
> at
> org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
> at javax.servlet.GenericServlet.init(GenericServlet.java:244)
> at
> org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
> ... 20 more
>
>
> On Mon, Oct 29, 2018 at 11:15 PM Fawze Abujaber <fa...@gmail.com> wrote:
>
>> Hi Eyal,
>>
>> I think using the LDAP or AD you can do the map between group and role
>> while using the users section allowing you to assign a user with a role and
>> in the urls section you can provide this role with specific permissions.
>> Are you trying to allow some users to be able to trigger restart and
>> change conf while other not?
>> Using the users and url sections can provide you with this functionality.
>>
>> [users]
>> eyal = eyal, admin
>> fawze= fawze, member
>>
>> eyal has a role called admin and fawze is a member
>>
>> [urls]
>> /api/interpreter/** = authc, roles[admin]
>> /api/configurations/** = authc, roles[admin]
>> /api/credential/** = authc, roles[admin]
>>
>> Only user with admin role can access the mentioned apis, if you would
>> like allowing the users with member role to have an access to the apis then
>> you need to add this in the urls.
>>
>> I'm not sure if this is what you are looking for ....
>>
>> Please monitor the queries that triggered through zeppelin and check if
>> they are are passing user name to impala so you can monitor these queries
>> through Cloudera manager ...
>>
>> On Mon, Oct 29, 2018 at 3:11 PM Eyal Hashai <ey...@kenshoo.com>
>> wrote:
>>
>>>
>>> Dear Fawze,
>>> Thanks for taking the time to reply!
>>> Unfortunately this solution did not work.. can you explain how it assign
>>> roles to a group?
>>> I wouldn't mind having a manually inserted user (e.g. admin\admin) but
>>> Zeppelin doesn't seem to start if you have both LDAP and [user] configured.
>>>
>>> Thank you.
>>>
>>>
>>>
>>> On Mon, Oct 29, 2018 at 12:36 PM Fawze Abujaber <fa...@gmail.com>
>>> wrote:
>>>
>>>> Hi Eyal,
>>>>
>>>> I think this should be your seachbase:
>>>>
>>>> ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>>
>>>>
>>>> and you should comment
>>>> ldapRealm.rolesByGroup = bigdata: admin
>>>>
>>>> On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <ey...@kenshoo.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>> I've connected my Zeppelin server via LDAP for user authentication.
>>>>> This works fine for auth, the problem is that I can't figure how roles
>>>>> are attached to a user, I need to set "bigdata" group as admins,
>>>>> Over the past week I have tried many different configurations and
>>>>> searched online for a solution without success.
>>>>>
>>>>> Does anyone have experience with this?
>>>>> Any information or link would be highly appreciated!
>>>>>
>>>>> Thank you
>>>>>
>>>>> *shiro.ini:*
>>>>>
>>>>> ### A sample for configuring LDAP Directory Realm
>>>>> ldapRealm = org.apache.zeppelin.realm.LdapRealm
>>>>> ldapRealm.contextFactory.url = ldap://1.2.3.4:389
>>>>> ldapRealm.userDnTemplate = {0}@kenshooprd.local
>>>>> ldapRealm.contextFactory.authenticationMechanism = simple
>>>>> ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local"
>>>>> ldapRealm.contextFactory.systemPassword = XXXXXXX
>>>>> ldapRealm.authorizationEnabled = true
>>>>> ldapRealm.rolesByGroup =
>>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>>> ldapRealm.rolesByGroup = bigdata: admin
>>>>> ldapRealm.groupSearchBase =
>>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>>> securityManager.realms = $ldapRealm
>>>>> ldapRealm.groupSearchEnableMatchingRuleInChain = true
>>>>>
>>>>>
>>>>> *Logs:*
>>>>>
>>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>>> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
>>>>> /api/login]
>>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>>> ThreadContext.java[get]:133) - Retrieved value of type
>>>>> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
>>>>> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
>>>>> bound to thread [qtp1418428263-15 - /api/login]
>>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>>> DelegatingSubject.java[getSession]:317) - attempting to get session; create
>>>>> = false; session is null = false; session has id = true
>>>>> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
>>>>> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
>>>>> retrieve session with key
>>>>> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
>>>>> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
>>>>> LoginRestApi.java[postLogin]:206) -
>>>>> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
>>>>> "roles":"[]"}}
>>>>> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
>>>>> HttpConnection.java[process]:657) -
>>>>> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
>>>>> 200 OK,118,false},cb=org.eclipse.jetty
>>>>> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
>>>>> (null,[p=0,l=118,c=8192,r=118],true)@START
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> Parser.java[parse]:257) - SERVER Parsed Frame:
>>>>> TEXT[len=109,fin=true,rsv=...,masked=true]
>>>>>
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> Parser.java[notifyFrame]:186) - SERVER Notify
>>>>> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> AbstractEventDriver.java[incomingFrame]:103) -
>>>>> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
>>>>> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
>>>>> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE
>>>>> DATA << null
>>>>> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
>>>>> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
>>>>> op=LIST_CONFIGURATIONS}
>>>>> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
>>>>> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
>>>>> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
>>>>> "CONFIG... "roles": ""\n}>>>}
>>>>> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
>>>>> ExtensionStack.java[outgoingFrame]:288) - Queuing
>>>>> TEXT[len=6199,fin=true,rsv=...,masked=false]
>>>>>
>>>>>
>>>>> *LDAP settings for user:*
>>>>>
>>>>> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
>>>>> ldap@kenshooprd.local -w xxxxx -b
>>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>>> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>>> objectClass: top
>>>>> objectClass: group
>>>>> cn: bigdata
>>>>> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
>>>>> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>>> instanceType: 4
>>>>> whenCreated: 20161129171457.0Z
>>>>> whenChanged: 20181004121722.0Z
>>>>> uSNCreated: 93111898
>>>>> uSNChanged: 276782631
>>>>> name: bigdata
>>>>> objectGUID:: bBMye2mox0+hDkddqds1+g==
>>>>> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
>>>>> sAMAccountName: bigdata
>>>>> sAMAccountType: 268435456
>>>>> groupType: -2147483646
>>>>> objectCategory:
>>>>> CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
>>>>> dSCorePropagationData: 20170723142935.0Z
>>>>> dSCorePropagationData: 20170723142620.0Z
>>>>> dSCorePropagationData: 16010101000417.0Z
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>> *[ Eyal Hashai ]*
>>>>> Database Administrator - Big Data Team // *Kenshoo*
>>>>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>>>>> <Ey...@Kenshoo.com>*
>>>>> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
>>>>> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
>>>>> _______________________________________
>>>>> *www.Kenshoo.com* <http://kenshoo.com/>
>>>>>
>>>>> * <Ey...@Kenshoo.com>*
>>>>> <http://kenshoo.com/>
>>>>>
>>>>> This e-mail, as well as any attached document, may contain material
>>>>> which is confidential and privileged and may include trademark, copyright
>>>>> and other intellectual property rights that are proprietary to Kenshoo Ltd,
>>>>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>>>>> attachments may be read, copied and used only by the addressee for the
>>>>> purpose(s) for which it was disclosed herein. If you have received it in
>>>>> error, please destroy the message and any attachment, and contact us
>>>>> immediately. If you are not the intended recipient, be aware that any
>>>>> review, reliance, disclosure, copying, distribution or use of the contents
>>>>> of this message without Kenshoo's express permission is strictly prohibited.
>>>>
>>>>
>>>>
>>>> --
>>>> Take Care
>>>> Fawze Abujaber
>>>>
>>>
>>>
>>> --
>>>
>>>
>>> *[ Eyal Hashai ]*
>>> Database Administrator - Big Data Team // *Kenshoo*
>>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>>> <Ey...@Kenshoo.com>*
>>> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
>>> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
>>> _______________________________________
>>> *www.Kenshoo.com* <http://kenshoo.com/>
>>>
>>> * <Ey...@Kenshoo.com>*
>>> <http://kenshoo.com/>
>>>
>>> This e-mail, as well as any attached document, may contain material
>>> which is confidential and privileged and may include trademark, copyright
>>> and other intellectual property rights that are proprietary to Kenshoo Ltd,
>>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>>> attachments may be read, copied and used only by the addressee for the
>>> purpose(s) for which it was disclosed herein. If you have received it in
>>> error, please destroy the message and any attachment, and contact us
>>> immediately. If you are not the intended recipient, be aware that any
>>> review, reliance, disclosure, copying, distribution or use of the contents
>>> of this message without Kenshoo's express permission is strictly prohibited.
>>
>>
>>
>> --
>> Take Care
>> Fawze Abujaber
>>
>
>
> --
>
>
> *[ Eyal Hashai ]*
> Database Administrator - Big Data Team // *Kenshoo*
> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
> <Ey...@Kenshoo.com>*
> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
> _______________________________________
> *www.Kenshoo.com* <http://kenshoo.com/>
>
> * <Ey...@Kenshoo.com>*
> <http://kenshoo.com/>
>
> This e-mail, as well as any attached document, may contain material which
> is confidential and privileged and may include trademark, copyright and
> other intellectual property rights that are proprietary to Kenshoo Ltd,
> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
> attachments may be read, copied and used only by the addressee for the
> purpose(s) for which it was disclosed herein. If you have received it in
> error, please destroy the message and any attachment, and contact us
> immediately. If you are not the intended recipient, be aware that any
> review, reliance, disclosure, copying, distribution or use of the contents
> of this message without Kenshoo's express permission is strictly prohibited.
--
Take Care
Fawze Abujaber
Re: LDAP cannot find\assign roles
Posted by Eyal Hashai <ey...@kenshoo.com>.
When I try to allow both LDAP auth mechanism and uncomment [users] to add a
specific user I get this except and zeppelin won't start:
TRACE [2018-10-31 07:34:10,137] ({main} ThreadContext.java[get]:126) -
get() - in thread [main]
WARN [2018-10-31 07:34:10,138] ({main} ContextHandler.java[log]:2062) -
unavailable
MultiException stack 1 of 1
java.lang.Exception: IniRealm/password based auth mechanisms should be
exclusive. Consider removing [users] block from shiro.ini
at
org.apache.zeppelin.server.ZeppelinServer.<init>(ZeppelinServer.java:112)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.glassfish.hk2.utilities.reflection.ReflectionHelper.makeMe(ReflectionHelper.java:1375)
at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1083)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
at
org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
at
org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
at
org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
at
org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
at
org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
at
org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
at
org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
at
org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
at javax.servlet.GenericServlet.init(GenericServlet.java:244)
at
org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
at
org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
at
org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
at
org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
at
org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
at
org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
at
org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
at
org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.server.Server.start(Server.java:387)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at org.eclipse.jetty.server.Server.doStart(Server.java:354)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
DEBUG [2018-10-31 07:34:10,139] ({main}
ServletHandler.java[initialize]:875) - EXCEPTION
javax.servlet.ServletException: rest@355bd4
==org.glassfish.jersey.servlet.ServletContainer,-1,false
at
org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:637)
at
org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
at
org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
at
org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
at
org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
at
org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
at
org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
at
org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.server.Server.start(Server.java:387)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at org.eclipse.jetty.server.Server.doStart(Server.java:354)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
Caused by: A MultiException has 1 exceptions. They are:
1. java.lang.Exception: IniRealm/password based auth mechanisms should be
exclusive. Consider removing [users] block from shiro.ini
at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1085)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
at
org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
at
org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
at
org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
at
org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
at
org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
at
org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
at
org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
at
org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
at javax.servlet.GenericServlet.init(GenericServlet.java:244)
at
org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
... 20 more
On Mon, Oct 29, 2018 at 11:15 PM Fawze Abujaber <fa...@gmail.com> wrote:
> Hi Eyal,
>
> I think using the LDAP or AD you can do the map between group and role
> while using the users section allowing you to assign a user with a role and
> in the urls section you can provide this role with specific permissions.
> Are you trying to allow some users to be able to trigger restart and
> change conf while other not?
> Using the users and url sections can provide you with this functionality.
>
> [users]
> eyal = eyal, admin
> fawze= fawze, member
>
> eyal has a role called admin and fawze is a member
>
> [urls]
> /api/interpreter/** = authc, roles[admin]
> /api/configurations/** = authc, roles[admin]
> /api/credential/** = authc, roles[admin]
>
> Only user with admin role can access the mentioned apis, if you would like
> allowing the users with member role to have an access to the apis then you
> need to add this in the urls.
>
> I'm not sure if this is what you are looking for ....
>
> Please monitor the queries that triggered through zeppelin and check if
> they are are passing user name to impala so you can monitor these queries
> through Cloudera manager ...
>
> On Mon, Oct 29, 2018 at 3:11 PM Eyal Hashai <ey...@kenshoo.com>
> wrote:
>
>>
>> Dear Fawze,
>> Thanks for taking the time to reply!
>> Unfortunately this solution did not work.. can you explain how it assign
>> roles to a group?
>> I wouldn't mind having a manually inserted user (e.g. admin\admin) but
>> Zeppelin doesn't seem to start if you have both LDAP and [user] configured.
>>
>> Thank you.
>>
>>
>>
>> On Mon, Oct 29, 2018 at 12:36 PM Fawze Abujaber <fa...@gmail.com>
>> wrote:
>>
>>> Hi Eyal,
>>>
>>> I think this should be your seachbase:
>>>
>>> ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>
>>>
>>> and you should comment
>>> ldapRealm.rolesByGroup = bigdata: admin
>>>
>>> On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <ey...@kenshoo.com>
>>> wrote:
>>>
>>>>
>>>> Hello,
>>>> I've connected my Zeppelin server via LDAP for user authentication.
>>>> This works fine for auth, the problem is that I can't figure how roles
>>>> are attached to a user, I need to set "bigdata" group as admins,
>>>> Over the past week I have tried many different configurations and
>>>> searched online for a solution without success.
>>>>
>>>> Does anyone have experience with this?
>>>> Any information or link would be highly appreciated!
>>>>
>>>> Thank you
>>>>
>>>> *shiro.ini:*
>>>>
>>>> ### A sample for configuring LDAP Directory Realm
>>>> ldapRealm = org.apache.zeppelin.realm.LdapRealm
>>>> ldapRealm.contextFactory.url = ldap://1.2.3.4:389
>>>> ldapRealm.userDnTemplate = {0}@kenshooprd.local
>>>> ldapRealm.contextFactory.authenticationMechanism = simple
>>>> ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local"
>>>> ldapRealm.contextFactory.systemPassword = XXXXXXX
>>>> ldapRealm.authorizationEnabled = true
>>>> ldapRealm.rolesByGroup =
>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>> ldapRealm.rolesByGroup = bigdata: admin
>>>> ldapRealm.groupSearchBase =
>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>> securityManager.realms = $ldapRealm
>>>> ldapRealm.groupSearchEnableMatchingRuleInChain = true
>>>>
>>>>
>>>> *Logs:*
>>>>
>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
>>>> /api/login]
>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>> ThreadContext.java[get]:133) - Retrieved value of type
>>>> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
>>>> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
>>>> bound to thread [qtp1418428263-15 - /api/login]
>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>> DelegatingSubject.java[getSession]:317) - attempting to get session; create
>>>> = false; session is null = false; session has id = true
>>>> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
>>>> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
>>>> retrieve session with key
>>>> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
>>>> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
>>>> LoginRestApi.java[postLogin]:206) -
>>>> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
>>>> "roles":"[]"}}
>>>> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
>>>> HttpConnection.java[process]:657) -
>>>> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
>>>> 200 OK,118,false},cb=org.eclipse.jetty
>>>> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
>>>> (null,[p=0,l=118,c=8192,r=118],true)@START
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> Parser.java[parse]:257) - SERVER Parsed Frame:
>>>> TEXT[len=109,fin=true,rsv=...,masked=true]
>>>>
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> Parser.java[notifyFrame]:186) - SERVER Notify
>>>> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> AbstractEventDriver.java[incomingFrame]:103) -
>>>> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
>>>> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
>>>> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE
>>>> DATA << null
>>>> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
>>>> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
>>>> op=LIST_CONFIGURATIONS}
>>>> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
>>>> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
>>>> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
>>>> "CONFIG... "roles": ""\n}>>>}
>>>> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
>>>> ExtensionStack.java[outgoingFrame]:288) - Queuing
>>>> TEXT[len=6199,fin=true,rsv=...,masked=false]
>>>>
>>>>
>>>> *LDAP settings for user:*
>>>>
>>>> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
>>>> ldap@kenshooprd.local -w xxxxx -b
>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>> objectClass: top
>>>> objectClass: group
>>>> cn: bigdata
>>>> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
>>>> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>> instanceType: 4
>>>> whenCreated: 20161129171457.0Z
>>>> whenChanged: 20181004121722.0Z
>>>> uSNCreated: 93111898
>>>> uSNChanged: 276782631
>>>> name: bigdata
>>>> objectGUID:: bBMye2mox0+hDkddqds1+g==
>>>> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
>>>> sAMAccountName: bigdata
>>>> sAMAccountType: 268435456
>>>> groupType: -2147483646
>>>> objectCategory:
>>>> CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
>>>> dSCorePropagationData: 20170723142935.0Z
>>>> dSCorePropagationData: 20170723142620.0Z
>>>> dSCorePropagationData: 16010101000417.0Z
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> *[ Eyal Hashai ]*
>>>> Database Administrator - Big Data Team // *Kenshoo*
>>>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>>>> <Ey...@Kenshoo.com>*
>>>> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
>>>> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
>>>> _______________________________________
>>>> *www.Kenshoo.com* <http://kenshoo.com/>
>>>>
>>>> * <Ey...@Kenshoo.com>*
>>>> <http://kenshoo.com/>
>>>>
>>>> This e-mail, as well as any attached document, may contain material
>>>> which is confidential and privileged and may include trademark, copyright
>>>> and other intellectual property rights that are proprietary to Kenshoo Ltd,
>>>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>>>> attachments may be read, copied and used only by the addressee for the
>>>> purpose(s) for which it was disclosed herein. If you have received it in
>>>> error, please destroy the message and any attachment, and contact us
>>>> immediately. If you are not the intended recipient, be aware that any
>>>> review, reliance, disclosure, copying, distribution or use of the contents
>>>> of this message without Kenshoo's express permission is strictly prohibited.
>>>
>>>
>>>
>>> --
>>> Take Care
>>> Fawze Abujaber
>>>
>>
>>
>> --
>>
>>
>> *[ Eyal Hashai ]*
>> Database Administrator - Big Data Team // *Kenshoo*
>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>> <Ey...@Kenshoo.com>*
>> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
>> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
>> _______________________________________
>> *www.Kenshoo.com* <http://kenshoo.com/>
>>
>> * <Ey...@Kenshoo.com>*
>> <http://kenshoo.com/>
>>
>> This e-mail, as well as any attached document, may contain material which
>> is confidential and privileged and may include trademark, copyright and
>> other intellectual property rights that are proprietary to Kenshoo Ltd,
>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>> attachments may be read, copied and used only by the addressee for the
>> purpose(s) for which it was disclosed herein. If you have received it in
>> error, please destroy the message and any attachment, and contact us
>> immediately. If you are not the intended recipient, be aware that any
>> review, reliance, disclosure, copying, distribution or use of the contents
>> of this message without Kenshoo's express permission is strictly prohibited.
>
>
>
> --
> Take Care
> Fawze Abujaber
>
--
*[ Eyal Hashai ]*
Database Administrator - Big Data Team // *Kenshoo*
*Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
<Ey...@Kenshoo.com>*
*Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
<Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
_______________________________________
*www.Kenshoo.com* <http://kenshoo.com/>
* <Ey...@Kenshoo.com>*
<http://kenshoo.com/>
--
This e-mail, as well as any attached document, may contain material which
is confidential and privileged and may include trademark, copyright and
other intellectual property rights that are proprietary to Kenshoo Ltd,
its subsidiaries or affiliates ("Kenshoo"). This e-mail and its attachments
may be read, copied and used only by the addressee for the purpose(s) for
which it was disclosed herein. If you have received it in error, please
destroy the message and any attachment, and contact us immediately. If you
are not the intended recipient, be aware that any review, reliance,
disclosure, copying, distribution or use of the contents of this message
without Kenshoo's express permission is strictly prohibited.
Re: LDAP cannot find\assign roles
Posted by Fawze Abujaber <fa...@gmail.com>.
Hi Eyal,
I think using the LDAP or AD you can do the map between group and role
while using the users section allowing you to assign a user with a role and
in the urls section you can provide this role with specific permissions.
Are you trying to allow some users to be able to trigger restart and change
conf while other not?
Using the users and url sections can provide you with this functionality.
[users]
eyal = eyal, admin
fawze= fawze, member
eyal has a role called admin and fawze is a member
[urls]
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
Only user with admin role can access the mentioned apis, if you would like
allowing the users with member role to have an access to the apis then you
need to add this in the urls.
I'm not sure if this is what you are looking for ....
Please monitor the queries that triggered through zeppelin and check if
they are are passing user name to impala so you can monitor these queries
through Cloudera manager ...
On Mon, Oct 29, 2018 at 3:11 PM Eyal Hashai <ey...@kenshoo.com> wrote:
>
> Dear Fawze,
> Thanks for taking the time to reply!
> Unfortunately this solution did not work.. can you explain how it assign
> roles to a group?
> I wouldn't mind having a manually inserted user (e.g. admin\admin) but
> Zeppelin doesn't seem to start if you have both LDAP and [user] configured.
>
> Thank you.
>
>
>
> On Mon, Oct 29, 2018 at 12:36 PM Fawze Abujaber <fa...@gmail.com> wrote:
>
>> Hi Eyal,
>>
>> I think this should be your seachbase:
>>
>> ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>
>>
>> and you should comment
>> ldapRealm.rolesByGroup = bigdata: admin
>>
>> On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <ey...@kenshoo.com>
>> wrote:
>>
>>>
>>> Hello,
>>> I've connected my Zeppelin server via LDAP for user authentication.
>>> This works fine for auth, the problem is that I can't figure how roles
>>> are attached to a user, I need to set "bigdata" group as admins,
>>> Over the past week I have tried many different configurations and
>>> searched online for a solution without success.
>>>
>>> Does anyone have experience with this?
>>> Any information or link would be highly appreciated!
>>>
>>> Thank you
>>>
>>> *shiro.ini:*
>>>
>>> ### A sample for configuring LDAP Directory Realm
>>> ldapRealm = org.apache.zeppelin.realm.LdapRealm
>>> ldapRealm.contextFactory.url = ldap://1.2.3.4:389
>>> ldapRealm.userDnTemplate = {0}@kenshooprd.local
>>> ldapRealm.contextFactory.authenticationMechanism = simple
>>> ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local"
>>> ldapRealm.contextFactory.systemPassword = XXXXXXX
>>> ldapRealm.authorizationEnabled = true
>>> ldapRealm.rolesByGroup =
>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>> ldapRealm.rolesByGroup = bigdata: admin
>>> ldapRealm.groupSearchBase =
>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>> securityManager.realms = $ldapRealm
>>> ldapRealm.groupSearchEnableMatchingRuleInChain = true
>>>
>>>
>>> *Logs:*
>>>
>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
>>> /api/login]
>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>> ThreadContext.java[get]:133) - Retrieved value of type
>>> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
>>> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
>>> bound to thread [qtp1418428263-15 - /api/login]
>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>> DelegatingSubject.java[getSession]:317) - attempting to get session; create
>>> = false; session is null = false; session has id = true
>>> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
>>> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
>>> retrieve session with key
>>> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
>>> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
>>> LoginRestApi.java[postLogin]:206) -
>>> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
>>> "roles":"[]"}}
>>> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
>>> HttpConnection.java[process]:657) -
>>> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
>>> 200 OK,118,false},cb=org.eclipse.jetty
>>> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
>>> (null,[p=0,l=118,c=8192,r=118],true)@START
>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>> Parser.java[parse]:257) - SERVER Parsed Frame:
>>> TEXT[len=109,fin=true,rsv=...,masked=true]
>>>
>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>> Parser.java[notifyFrame]:186) - SERVER Notify
>>> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>> AbstractEventDriver.java[incomingFrame]:103) -
>>> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
>>> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
>>> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE
>>> DATA << null
>>> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
>>> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
>>> op=LIST_CONFIGURATIONS}
>>> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
>>> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
>>> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
>>> "CONFIG... "roles": ""\n}>>>}
>>> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
>>> ExtensionStack.java[outgoingFrame]:288) - Queuing
>>> TEXT[len=6199,fin=true,rsv=...,masked=false]
>>>
>>>
>>> *LDAP settings for user:*
>>>
>>> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
>>> ldap@kenshooprd.local -w xxxxx -b
>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>> objectClass: top
>>> objectClass: group
>>> cn: bigdata
>>> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
>>> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>> instanceType: 4
>>> whenCreated: 20161129171457.0Z
>>> whenChanged: 20181004121722.0Z
>>> uSNCreated: 93111898
>>> uSNChanged: 276782631
>>> name: bigdata
>>> objectGUID:: bBMye2mox0+hDkddqds1+g==
>>> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
>>> sAMAccountName: bigdata
>>> sAMAccountType: 268435456
>>> groupType: -2147483646
>>> objectCategory:
>>> CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
>>> dSCorePropagationData: 20170723142935.0Z
>>> dSCorePropagationData: 20170723142620.0Z
>>> dSCorePropagationData: 16010101000417.0Z
>>>
>>>
>>>
>>> --
>>>
>>>
>>> *[ Eyal Hashai ]*
>>> Database Administrator - Big Data Team // *Kenshoo*
>>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>>> <Ey...@Kenshoo.com>*
>>> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
>>> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
>>> _______________________________________
>>> *www.Kenshoo.com* <http://kenshoo.com/>
>>>
>>> * <Ey...@Kenshoo.com>*
>>> <http://kenshoo.com/>
>>>
>>> This e-mail, as well as any attached document, may contain material
>>> which is confidential and privileged and may include trademark, copyright
>>> and other intellectual property rights that are proprietary to Kenshoo Ltd,
>>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>>> attachments may be read, copied and used only by the addressee for the
>>> purpose(s) for which it was disclosed herein. If you have received it in
>>> error, please destroy the message and any attachment, and contact us
>>> immediately. If you are not the intended recipient, be aware that any
>>> review, reliance, disclosure, copying, distribution or use of the contents
>>> of this message without Kenshoo's express permission is strictly prohibited.
>>
>>
>>
>> --
>> Take Care
>> Fawze Abujaber
>>
>
>
> --
>
>
> *[ Eyal Hashai ]*
> Database Administrator - Big Data Team // *Kenshoo*
> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
> <Ey...@Kenshoo.com>*
> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
> _______________________________________
> *www.Kenshoo.com* <http://kenshoo.com/>
>
> * <Ey...@Kenshoo.com>*
> <http://kenshoo.com/>
>
> This e-mail, as well as any attached document, may contain material which
> is confidential and privileged and may include trademark, copyright and
> other intellectual property rights that are proprietary to Kenshoo Ltd,
> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
> attachments may be read, copied and used only by the addressee for the
> purpose(s) for which it was disclosed herein. If you have received it in
> error, please destroy the message and any attachment, and contact us
> immediately. If you are not the intended recipient, be aware that any
> review, reliance, disclosure, copying, distribution or use of the contents
> of this message without Kenshoo's express permission is strictly prohibited.
--
Take Care
Fawze Abujaber
Re: LDAP cannot find\assign roles
Posted by Eyal Hashai <ey...@kenshoo.com>.
Dear Fawze,
Thanks for taking the time to reply!
Unfortunately this solution did not work.. can you explain how it assign
roles to a group?
I wouldn't mind having a manually inserted user (e.g. admin\admin) but
Zeppelin doesn't seem to start if you have both LDAP and [user] configured.
Thank you.
On Mon, Oct 29, 2018 at 12:36 PM Fawze Abujaber <fa...@gmail.com> wrote:
> Hi Eyal,
>
> I think this should be your seachbase:
>
> ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local"
>
>
> and you should comment
> ldapRealm.rolesByGroup = bigdata: admin
>
> On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <ey...@kenshoo.com>
> wrote:
>
>>
>> Hello,
>> I've connected my Zeppelin server via LDAP for user authentication.
>> This works fine for auth, the problem is that I can't figure how roles
>> are attached to a user, I need to set "bigdata" group as admins,
>> Over the past week I have tried many different configurations and
>> searched online for a solution without success.
>>
>> Does anyone have experience with this?
>> Any information or link would be highly appreciated!
>>
>> Thank you
>>
>> *shiro.ini:*
>>
>> ### A sample for configuring LDAP Directory Realm
>> ldapRealm = org.apache.zeppelin.realm.LdapRealm
>> ldapRealm.contextFactory.url = ldap://1.2.3.4:389
>> ldapRealm.userDnTemplate = {0}@kenshooprd.local
>> ldapRealm.contextFactory.authenticationMechanism = simple
>> ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local"
>> ldapRealm.contextFactory.systemPassword = XXXXXXX
>> ldapRealm.authorizationEnabled = true
>> ldapRealm.rolesByGroup =
>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>> ldapRealm.rolesByGroup = bigdata: admin
>> ldapRealm.groupSearchBase =
>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>> securityManager.realms = $ldapRealm
>> ldapRealm.groupSearchEnableMatchingRuleInChain = true
>>
>>
>> *Logs:*
>>
>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
>> /api/login]
>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>> ThreadContext.java[get]:133) - Retrieved value of type
>> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
>> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
>> bound to thread [qtp1418428263-15 - /api/login]
>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>> DelegatingSubject.java[getSession]:317) - attempting to get session; create
>> = false; session is null = false; session has id = true
>> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
>> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
>> retrieve session with key
>> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
>> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
>> LoginRestApi.java[postLogin]:206) -
>> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
>> "roles":"[]"}}
>> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
>> HttpConnection.java[process]:657) -
>> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
>> 200 OK,118,false},cb=org.eclipse.jetty
>> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
>> (null,[p=0,l=118,c=8192,r=118],true)@START
>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>> Parser.java[parse]:257) - SERVER Parsed Frame:
>> TEXT[len=109,fin=true,rsv=...,masked=true]
>>
>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>> Parser.java[notifyFrame]:186) - SERVER Notify
>> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>> AbstractEventDriver.java[incomingFrame]:103) -
>> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
>> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
>> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE
>> DATA << null
>> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
>> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
>> op=LIST_CONFIGURATIONS}
>> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
>> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
>> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
>> "CONFIG... "roles": ""\n}>>>}
>> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
>> ExtensionStack.java[outgoingFrame]:288) - Queuing
>> TEXT[len=6199,fin=true,rsv=...,masked=false]
>>
>>
>> *LDAP settings for user:*
>>
>> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
>> ldap@kenshooprd.local -w xxxxx -b
>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
>> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>> objectClass: top
>> objectClass: group
>> cn: bigdata
>> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
>> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>> instanceType: 4
>> whenCreated: 20161129171457.0Z
>> whenChanged: 20181004121722.0Z
>> uSNCreated: 93111898
>> uSNChanged: 276782631
>> name: bigdata
>> objectGUID:: bBMye2mox0+hDkddqds1+g==
>> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
>> sAMAccountName: bigdata
>> sAMAccountType: 268435456
>> groupType: -2147483646
>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
>> dSCorePropagationData: 20170723142935.0Z
>> dSCorePropagationData: 20170723142620.0Z
>> dSCorePropagationData: 16010101000417.0Z
>>
>>
>>
>> --
>>
>>
>> *[ Eyal Hashai ]*
>> Database Administrator - Big Data Team // *Kenshoo*
>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>> <Ey...@Kenshoo.com>*
>> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
>> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
>> _______________________________________
>> *www.Kenshoo.com* <http://kenshoo.com/>
>>
>> * <Ey...@Kenshoo.com>*
>> <http://kenshoo.com/>
>>
>> This e-mail, as well as any attached document, may contain material which
>> is confidential and privileged and may include trademark, copyright and
>> other intellectual property rights that are proprietary to Kenshoo Ltd,
>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>> attachments may be read, copied and used only by the addressee for the
>> purpose(s) for which it was disclosed herein. If you have received it in
>> error, please destroy the message and any attachment, and contact us
>> immediately. If you are not the intended recipient, be aware that any
>> review, reliance, disclosure, copying, distribution or use of the contents
>> of this message without Kenshoo's express permission is strictly prohibited.
>
>
>
> --
> Take Care
> Fawze Abujaber
>
--
*[ Eyal Hashai ]*
Database Administrator - Big Data Team // *Kenshoo*
*Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
<Ey...@Kenshoo.com>*
*Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
<Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
_______________________________________
*www.Kenshoo.com* <http://kenshoo.com/>
* <Ey...@Kenshoo.com>*
<http://kenshoo.com/>
--
This e-mail, as well as any attached document, may contain material which
is confidential and privileged and may include trademark, copyright and
other intellectual property rights that are proprietary to Kenshoo Ltd,
its subsidiaries or affiliates ("Kenshoo"). This e-mail and its attachments
may be read, copied and used only by the addressee for the purpose(s) for
which it was disclosed herein. If you have received it in error, please
destroy the message and any attachment, and contact us immediately. If you
are not the intended recipient, be aware that any review, reliance,
disclosure, copying, distribution or use of the contents of this message
without Kenshoo's express permission is strictly prohibited.
Re: LDAP cannot find\assign roles
Posted by Fawze Abujaber <fa...@gmail.com>.
Hi Eyal,
I think this should be your seachbase:
ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local"
and you should comment
ldapRealm.rolesByGroup = bigdata: admin
On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <ey...@kenshoo.com>
wrote:
>
> Hello,
> I've connected my Zeppelin server via LDAP for user authentication.
> This works fine for auth, the problem is that I can't figure how roles are
> attached to a user, I need to set "bigdata" group as admins,
> Over the past week I have tried many different configurations and searched
> online for a solution without success.
>
> Does anyone have experience with this?
> Any information or link would be highly appreciated!
>
> Thank you
>
> *shiro.ini:*
>
> ### A sample for configuring LDAP Directory Realm
> ldapRealm = org.apache.zeppelin.realm.LdapRealm
> ldapRealm.contextFactory.url = ldap://1.2.3.4:389
> ldapRealm.userDnTemplate = {0}@kenshooprd.local
> ldapRealm.contextFactory.authenticationMechanism = simple
> ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local"
> ldapRealm.contextFactory.systemPassword = XXXXXXX
> ldapRealm.authorizationEnabled = true
> ldapRealm.rolesByGroup =
> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
> ldapRealm.rolesByGroup = bigdata: admin
> ldapRealm.groupSearchBase =
> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
> securityManager.realms = $ldapRealm
> ldapRealm.groupSearchEnableMatchingRuleInChain = true
>
>
> *Logs:*
>
> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
> /api/login]
> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
> ThreadContext.java[get]:133) - Retrieved value of type
> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
> bound to thread [qtp1418428263-15 - /api/login]
> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
> DelegatingSubject.java[getSession]:317) - attempting to get session; create
> = false; session is null = false; session has id = true
> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
> retrieve session with key
> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
> LoginRestApi.java[postLogin]:206) -
> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
> "roles":"[]"}}
> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
> HttpConnection.java[process]:657) -
> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
> 200 OK,118,false},cb=org.eclipse.jetty
> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
> (null,[p=0,l=118,c=8192,r=118],true)@START
> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
> Parser.java[parse]:257) - SERVER Parsed Frame:
> TEXT[len=109,fin=true,rsv=...,masked=true]
>
> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
> Parser.java[notifyFrame]:186) - SERVER Notify
> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
> AbstractEventDriver.java[incomingFrame]:103) -
> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE DATA
> << null
> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
> op=LIST_CONFIGURATIONS}
> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
> "CONFIG... "roles": ""\n}>>>}
> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
> ExtensionStack.java[outgoingFrame]:288) - Queuing
> TEXT[len=6199,fin=true,rsv=...,masked=false]
>
>
> *LDAP settings for user:*
>
> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
> ldap@kenshooprd.local -w xxxxx -b
> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
> objectClass: top
> objectClass: group
> cn: bigdata
> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
> instanceType: 4
> whenCreated: 20161129171457.0Z
> whenChanged: 20181004121722.0Z
> uSNCreated: 93111898
> uSNChanged: 276782631
> name: bigdata
> objectGUID:: bBMye2mox0+hDkddqds1+g==
> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
> sAMAccountName: bigdata
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
> dSCorePropagationData: 20170723142935.0Z
> dSCorePropagationData: 20170723142620.0Z
> dSCorePropagationData: 16010101000417.0Z
>
>
>
> --
>
>
> *[ Eyal Hashai ]*
> Database Administrator - Big Data Team // *Kenshoo*
> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
> <Ey...@Kenshoo.com>*
> *Eyal.Hashai@Kenshoo.com <Ey...@Kenshoo.com>*
> <Ey...@Kenshoo.com>* <Ey...@Kenshoo.com>*
> _______________________________________
> *www.Kenshoo.com* <http://kenshoo.com/>
>
> * <Ey...@Kenshoo.com>*
> <http://kenshoo.com/>
>
> This e-mail, as well as any attached document, may contain material which
> is confidential and privileged and may include trademark, copyright and
> other intellectual property rights that are proprietary to Kenshoo Ltd,
> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
> attachments may be read, copied and used only by the addressee for the
> purpose(s) for which it was disclosed herein. If you have received it in
> error, please destroy the message and any attachment, and contact us
> immediately. If you are not the intended recipient, be aware that any
> review, reliance, disclosure, copying, distribution or use of the contents
> of this message without Kenshoo's express permission is strictly prohibited.
--
Take Care
Fawze Abujaber