[jira] [Created] (ZEPPELIN-5581) SPNEGO authentication does not work

Wed, 03 Nov 2021 07:14:09 -0700 

Aleksey Nevgin created ZEPPELIN-5581:
----------------------------------------

             Summary: SPNEGO authentication does not work 
                 Key: ZEPPELIN-5581
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-5581
             Project: Zeppelin
          Issue Type: Bug
          Components: zeppelin-server
    Affects Versions: 0.10.0
         Environment: hdp 2.7.3, edge node

kerberos client - krb5-workstation-1.15.1-50.el7.x86_64

 
            Reporter: Aleksey Nevgin


Registered in the shiro.ini config all parameters as required by the 
documentation.
However, there is an error in the logs: WARN [2021-11-03 16: 31: 50,124] 
(\{qtp681094281-59} KerberosRealm.java [doKerberosAuth]: 525) - Authentication 
exception: GSSException: No valid credentials provided (Mechanism level: Failed 
to find any Kerberos credentails)
 tcpdump -i any -s0 -A port 88 shows that no calls to the kerberos server occur 
during SPNEGO authentication.
As I understand it, you need to specify when starting jaas.conf, but what 
application name should you specify in it?
I specified com.sun.security.jgss.krb5.initiate but no positive changes.
With this, zeppelin successfully authenticates to hadoop hdfs.
The environment variables are specified in zeppelin-env.sh:
export JAVA_HOME = '/ usr / lib / jvm / jre-1.8.0'
export KRB5_CONFIG = / etc / krb5.conf
export HADOOP_HOME = / usr / hdp / current / hadoop-client /
export HADOOP_CONF_DIR = '/ etc / hadoop / conf'

shiro.ini:
[users]
password = password
user = user

[main]
krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm
krbRealm.keytab = / etc / security / keytabs / zeppelin.service.keytab
krbRealm.cookiePath = /
krbRealm.signatureSecretFile = / etc / security / http_secret
krbRealm.nameRules = DEFAULT
krbRealm.tokenValidity = 36000
krbRealm.cookieDomain = dclub.ru
krbRealm.principal=HTTP/zeppelin.dclub.ru@XXX
authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $ sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = / api / login

[roles]
perms = *
role = role

[urls]
/ api / version = anon
/ ** = authc



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to