You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@zeppelin.apache.org by Polina Marasanova <Po...@quantium.com.au> on 2016/09/08 02:06:00 UTC

RE: Authenticate 1 user per notebook

One more thing. In Zeppelin logs there are many messages like this:

16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE << PING
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE PRINCIPAL << 
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE TICKET << 
16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE ROLES << 
16/09/08 02:03:46 ERROR NotebookServer: Can't handle message
java.lang.Exception: Invalid ticket  != f2810e7a-de64-4e41-b615-f31cd5bf7d68
	at org.apache.zeppelin.socket.NotebookServer.onMessage(NotebookServer.java:117)
	at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(NotebookSocket.java:56)
	at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
	at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.messageComplete(SimpleTextMessage.java:69)
	at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.appendMessage(AbstractEventDriver.java:65)
	at org.eclipse.jetty.websocket.common.events.JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
	at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.incomingFrame(AbstractEventDriver.java:161)
	at org.eclipse.jetty.websocket.common.WebSocketSession.incomingFrame(WebSocketSession.java:309)
	at org.eclipse.jetty.websocket.common.extensions.ExtensionStack.incomingFrame(ExtensionStack.java:214)
	at org.eclipse.jetty.websocket.common.Parser.notifyFrame(Parser.java:220)
	at org.eclipse.jetty.websocket.common.Parser.parse(Parser.java:258)
	at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.java:632)
	at org.eclipse.jetty.websocket.common.io.AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.java:480)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

Looks like it's related to auth process.
________________________________________
From: Polina Marasanova [Polina.Marasanova@quantium.com.au]
Sent: Wednesday, 17 August 2016 10:48 AM
To: users@zeppelin.apache.org
Subject: Authenticate 1 user per notebook

Hi everyone,

I'm back with my authentication questions. Here is my shiro.ini config file. The problem is that it lets in all users from search base "OU=Users,DC=companyname,DC=local"
How can I restrict the access to only one user who owns a notebook? The process zeppelin-daemon.sh is running by this user

[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = userNameA
activeDirectoryRealm.systemPassword = passwordA
activeDirectoryRealm.searchBase = "OU=Users,DC=companyname,DC=local"
activeDirectoryRealm.principalSuffix = @companyname.local
activeDirectoryRealm.url = ldap://ldapserver.companyname.local:389
activeDirectoryRealm.groupRolesMap = "OU=Users,DC=companyname,DC=local":"admin"
activeDirectoryRealm.authorizationCachingEnabled = false
securityManager.realms = $activeDirectoryRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = *

[urls]
/** = authc


Thanks
Cheers
Polina

Re: Authenticate 1 user per notebook

Posted by Khalid Huseynov <kh...@nflabs.com>.

Regarding the latter message on invalid token. That stacktrace possible
when someone logs out from Zeppelin but keeps the window open in browser.
Then it keeps sending websocket ping messages with invalid ticket which
errors in Zeppelin.

On Thu, Sep 8, 2016 at 11:06 AM, Polina Marasanova <
Polina.Marasanova@quantium.com.au> wrote:

> One more thing. In Zeppelin logs there are many messages like this:
>
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE << PING
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE PRINCIPAL <<
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE TICKET <<
> 16/09/08 02:03:46 DEBUG NotebookServer: RECEIVE ROLES <<
> 16/09/08 02:03:46 ERROR NotebookServer: Can't handle message
> java.lang.Exception: Invalid ticket  != f2810e7a-de64-4e41-b615-
> f31cd5bf7d68
>         at org.apache.zeppelin.socket.NotebookServer.onMessage(
> NotebookServer.java:117)
>         at org.apache.zeppelin.socket.NotebookSocket.onWebSocketText(
> NotebookSocket.java:56)
>         at org.eclipse.jetty.websocket.common.events.
> JettyListenerEventDriver.onTextMessage(JettyListenerEventDriver.java:128)
>         at org.eclipse.jetty.websocket.common.message.SimpleTextMessage.
> messageComplete(SimpleTextMessage.java:69)
>         at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.
> appendMessage(AbstractEventDriver.java:65)
>         at org.eclipse.jetty.websocket.common.events.
> JettyListenerEventDriver.onTextFrame(JettyListenerEventDriver.java:122)
>         at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.
> incomingFrame(AbstractEventDriver.java:161)
>         at org.eclipse.jetty.websocket.common.WebSocketSession.
> incomingFrame(WebSocketSession.java:309)
>         at org.eclipse.jetty.websocket.common.extensions.
> ExtensionStack.incomingFrame(ExtensionStack.java:214)
>         at org.eclipse.jetty.websocket.common.Parser.notifyFrame(
> Parser.java:220)
>         at org.eclipse.jetty.websocket.common.Parser.parse(Parser.
> java:258)
>         at org.eclipse.jetty.websocket.common.io.
> AbstractWebSocketConnection.readParse(AbstractWebSocketConnection.
> java:632)
>         at org.eclipse.jetty.websocket.common.io.
> AbstractWebSocketConnection.onFillable(AbstractWebSocketConnection.
> java:480)
>         at org.eclipse.jetty.io.AbstractConnection$2.run(
> AbstractConnection.java:544)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
> QueuedThreadPool.java:635)
>
> Looks like it's related to auth process.
> ________________________________________
> From: Polina Marasanova [Polina.Marasanova@quantium.com.au]
> Sent: Wednesday, 17 August 2016 10:48 AM
> To: users@zeppelin.apache.org
> Subject: Authenticate 1 user per notebook
>
> Hi everyone,
>
> I'm back with my authentication questions. Here is my shiro.ini config
> file. The problem is that it lets in all users from search base
> "OU=Users,DC=companyname,DC=local"
> How can I restrict the access to only one user who owns a notebook? The
> process zeppelin-daemon.sh is running by this user
>
> [main]
> activeDirectoryRealm = org.apache.zeppelin.server.
> ActiveDirectoryGroupRealm
> activeDirectoryRealm.systemUsername = userNameA
> activeDirectoryRealm.systemPassword = passwordA
> activeDirectoryRealm.searchBase = "OU=Users,DC=companyname,DC=local"
> activeDirectoryRealm.principalSuffix = @companyname.local
> activeDirectoryRealm.url = ldap://ldapserver.companyname.local:389
> activeDirectoryRealm.groupRolesMap = "OU=Users,DC=companyname,DC=
> local":"admin"
> activeDirectoryRealm.authorizationCachingEnabled = false
> securityManager.realms = $activeDirectoryRealm
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
> [roles]
> admin = *
>
> [urls]
> /** = authc
>
>
> Thanks
> Cheers
> Polina
>