When I try to allow both LDAP auth mechanism and uncomment [users] to add a
specific user I get this except and zeppelin won't start:
TRACE [2018-10-31 07:34:10,137] ({main} ThreadContext.java[get]:126) -
get() - in thread [main]
WARN [2018-10-31 07:34:10,138] ({main} ContextHandler.java[log]:2062) -
unavailable
MultiException stack 1 of 1
java.lang.Exception: IniRealm/password based auth mechanisms should be
exclusive. Consider removing [users] block from shiro.ini
at
org.apache.zeppelin.server.ZeppelinServer.<init>(ZeppelinServer.java:112)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.glassfish.hk2.utilities.reflection.ReflectionHelper.makeMe(ReflectionHelper.java:1375)
at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1083)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
at
org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
at
org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
at
org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
at
org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
at
org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
at
org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
at
org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
at
org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
at javax.servlet.GenericServlet.init(GenericServlet.java:244)
at
org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
at
org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
at
org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
at
org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
at
org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
at
org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
at
org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
at
org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.server.Server.start(Server.java:387)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at org.eclipse.jetty.server.Server.doStart(Server.java:354)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
DEBUG [2018-10-31 07:34:10,139] ({main}
ServletHandler.java[initialize]:875) - EXCEPTION
javax.servlet.ServletException: rest@355bd4
==org.glassfish.jersey.servlet.ServletContainer,-1,false
at
org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:637)
at
org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
at
org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
at
org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
at
org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
at
org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
at
org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
at
org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.server.Server.start(Server.java:387)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
at org.eclipse.jetty.server.Server.doStart(Server.java:354)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at
org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
Caused by: A MultiException has 1 exceptions. They are:
1. java.lang.Exception: IniRealm/password based auth mechanisms should be
exclusive. Consider removing [users] block from shiro.ini
at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1085)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
at
org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
at
org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
at
org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
at
org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
at
org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
at
org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
at
org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
at
org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
at
org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
at
org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
at javax.servlet.GenericServlet.init(GenericServlet.java:244)
at
org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
... 20 more
On Mon, Oct 29, 2018 at 11:15 PM Fawze Abujaber <[email protected]> wrote:
> Hi Eyal,
>
> I think using the LDAP or AD you can do the map between group and role
> while using the users section allowing you to assign a user with a role and
> in the urls section you can provide this role with specific permissions.
> Are you trying to allow some users to be able to trigger restart and
> change conf while other not?
> Using the users and url sections can provide you with this functionality.
>
> [users]
> eyal = eyal, admin
> fawze= fawze, member
>
> eyal has a role called admin and fawze is a member
>
> [urls]
> /api/interpreter/** = authc, roles[admin]
> /api/configurations/** = authc, roles[admin]
> /api/credential/** = authc, roles[admin]
>
> Only user with admin role can access the mentioned apis, if you would like
> allowing the users with member role to have an access to the apis then you
> need to add this in the urls.
>
> I'm not sure if this is what you are looking for ....
>
> Please monitor the queries that triggered through zeppelin and check if
> they are are passing user name to impala so you can monitor these queries
> through Cloudera manager ...
>
> On Mon, Oct 29, 2018 at 3:11 PM Eyal Hashai <[email protected]>
> wrote:
>
>>
>> Dear Fawze,
>> Thanks for taking the time to reply!
>> Unfortunately this solution did not work.. can you explain how it assign
>> roles to a group?
>> I wouldn't mind having a manually inserted user (e.g. admin\admin) but
>> Zeppelin doesn't seem to start if you have both LDAP and [user] configured.
>>
>> Thank you.
>>
>>
>>
>> On Mon, Oct 29, 2018 at 12:36 PM Fawze Abujaber <[email protected]>
>> wrote:
>>
>>> Hi Eyal,
>>>
>>> I think this should be your seachbase:
>>>
>>> ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>
>>>
>>> and you should comment
>>> ldapRealm.rolesByGroup = bigdata: admin
>>>
>>> On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <[email protected]>
>>> wrote:
>>>
>>>>
>>>> Hello,
>>>> I've connected my Zeppelin server via LDAP for user authentication.
>>>> This works fine for auth, the problem is that I can't figure how roles
>>>> are attached to a user, I need to set "bigdata" group as admins,
>>>> Over the past week I have tried many different configurations and
>>>> searched online for a solution without success.
>>>>
>>>> Does anyone have experience with this?
>>>> Any information or link would be highly appreciated!
>>>>
>>>> Thank you
>>>>
>>>> *shiro.ini:*
>>>>
>>>> ### A sample for configuring LDAP Directory Realm
>>>> ldapRealm = org.apache.zeppelin.realm.LdapRealm
>>>> ldapRealm.contextFactory.url = ldap://1.2.3.4:389
>>>> ldapRealm.userDnTemplate = {0}@kenshooprd.local
>>>> ldapRealm.contextFactory.authenticationMechanism = simple
>>>> ldapRealm.contextFactory.systemUsername = "[email protected]"
>>>> ldapRealm.contextFactory.systemPassword = XXXXXXX
>>>> ldapRealm.authorizationEnabled = true
>>>> ldapRealm.rolesByGroup =
>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>> ldapRealm.rolesByGroup = bigdata: admin
>>>> ldapRealm.groupSearchBase =
>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>> securityManager.realms = $ldapRealm
>>>> ldapRealm.groupSearchEnableMatchingRuleInChain = true
>>>>
>>>>
>>>> *Logs:*
>>>>
>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
>>>> /api/login]
>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>> ThreadContext.java[get]:133) - Retrieved value of type
>>>> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
>>>> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
>>>> bound to thread [qtp1418428263-15 - /api/login]
>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>> DelegatingSubject.java[getSession]:317) - attempting to get session; create
>>>> = false; session is null = false; session has id = true
>>>> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
>>>> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
>>>> retrieve session with key
>>>> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
>>>> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
>>>> LoginRestApi.java[postLogin]:206) -
>>>> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
>>>> "roles":"[]"}}
>>>> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
>>>> HttpConnection.java[process]:657) -
>>>> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
>>>> 200 OK,118,false},cb=org.eclipse.jetty
>>>> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
>>>> (null,[p=0,l=118,c=8192,r=118],true)@START
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> Parser.java[parse]:257) - SERVER Parsed Frame:
>>>> TEXT[len=109,fin=true,rsv=...,masked=true]
>>>>
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> Parser.java[notifyFrame]:186) - SERVER Notify
>>>> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> AbstractEventDriver.java[incomingFrame]:103) -
>>>> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
>>>> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
>>>> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE
>>>> DATA << null
>>>> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
>>>> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
>>>> op=LIST_CONFIGURATIONS}
>>>> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
>>>> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
>>>> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
>>>> "CONFIG... "roles": ""\n}>>>}
>>>> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
>>>> ExtensionStack.java[outgoingFrame]:288) - Queuing
>>>> TEXT[len=6199,fin=true,rsv=...,masked=false]
>>>>
>>>>
>>>> *LDAP settings for user:*
>>>>
>>>> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
>>>> [email protected] -w xxxxx -b
>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>> objectClass: top
>>>> objectClass: group
>>>> cn: bigdata
>>>> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
>>>> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>> instanceType: 4
>>>> whenCreated: 20161129171457.0Z
>>>> whenChanged: 20181004121722.0Z
>>>> uSNCreated: 93111898
>>>> uSNChanged: 276782631
>>>> name: bigdata
>>>> objectGUID:: bBMye2mox0+hDkddqds1+g==
>>>> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
>>>> sAMAccountName: bigdata
>>>> sAMAccountType: 268435456
>>>> groupType: -2147483646
>>>> objectCategory:
>>>> CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
>>>> dSCorePropagationData: 20170723142935.0Z
>>>> dSCorePropagationData: 20170723142620.0Z
>>>> dSCorePropagationData: 16010101000417.0Z
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> *[ Eyal Hashai ]*
>>>> Database Administrator - Big Data Team // *Kenshoo*
>>>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>>>> <[email protected]>*
>>>> *[email protected] <[email protected]>*
>>>> <[email protected]>* <[email protected]>*
>>>> _______________________________________
>>>> *www.Kenshoo.com* <http://kenshoo.com/>
>>>>
>>>> * <[email protected]>*
>>>> <http://kenshoo.com/>
>>>>
>>>> This e-mail, as well as any attached document, may contain material
>>>> which is confidential and privileged and may include trademark, copyright
>>>> and other intellectual property rights that are proprietary to Kenshoo Ltd,
>>>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>>>> attachments may be read, copied and used only by the addressee for the
>>>> purpose(s) for which it was disclosed herein. If you have received it in
>>>> error, please destroy the message and any attachment, and contact us
>>>> immediately. If you are not the intended recipient, be aware that any
>>>> review, reliance, disclosure, copying, distribution or use of the contents
>>>> of this message without Kenshoo's express permission is strictly
>>>> prohibited.
>>>
>>>
>>>
>>> --
>>> Take Care
>>> Fawze Abujaber
>>>
>>
>>
>> --
>>
>>
>> *[ Eyal Hashai ]*
>> Database Administrator - Big Data Team // *Kenshoo*
>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>> <[email protected]>*
>> *[email protected] <[email protected]>*
>> <[email protected]>* <[email protected]>*
>> _______________________________________
>> *www.Kenshoo.com* <http://kenshoo.com/>
>>
>> * <[email protected]>*
>> <http://kenshoo.com/>
>>
>> This e-mail, as well as any attached document, may contain material which
>> is confidential and privileged and may include trademark, copyright and
>> other intellectual property rights that are proprietary to Kenshoo Ltd,
>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>> attachments may be read, copied and used only by the addressee for the
>> purpose(s) for which it was disclosed herein. If you have received it in
>> error, please destroy the message and any attachment, and contact us
>> immediately. If you are not the intended recipient, be aware that any
>> review, reliance, disclosure, copying, distribution or use of the contents
>> of this message without Kenshoo's express permission is strictly prohibited.
>
>
>
> --
> Take Care
> Fawze Abujaber
>
--
*[ Eyal Hashai ]*
Database Administrator - Big Data Team // *Kenshoo*
*Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
<[email protected]>*
*[email protected] <[email protected]>*
<[email protected]>* <[email protected]>*
_______________________________________
*www.Kenshoo.com* <http://kenshoo.com/>
* <[email protected]>*
<http://kenshoo.com/>
--
This e-mail, as well as any attached document, may contain material which
is confidential and privileged and may include trademark, copyright and
other intellectual property rights that are proprietary to Kenshoo Ltd,
its subsidiaries or affiliates ("Kenshoo"). This e-mail and its attachments
may be read, copied and used only by the addressee for the purpose(s) for
which it was disclosed herein. If you have received it in error, please
destroy the message and any attachment, and contact us immediately. If you
are not the intended recipient, be aware that any review, reliance,
disclosure, copying, distribution or use of the contents of this message
without Kenshoo's express permission is strictly prohibited.
