Re: Invite to Slack? shiro realm not accepting jwt token

Thu, 29 Jun 2023 01:13:20 -0700 

Hello Rutland,

I invited you to slack.

BTW, I'm not using Know now so I couldn't help you but how about
mankind jira issue to report it if it's a bug?

Regards,
Jongyoul

2023년 6월 1일 (목) 오전 1:17, Rutland, Nathan (CTR) <
nathan.rutl...@mail.associates.cisa.dhs.gov>님이 작성:

> I'd like to get an invite to the Slack channel for apache zeppelin.  I'm
> working a tough shiro config to get PIV / SAML login working into Zeppelin
> 0.10 on AWS EMR.  Everything looks okay with the saml request and response
> through Apache Knox.  But when the jwt gets back to zeppelin (after the
> redirect to knox and idp), it's saying the realm can't accept the jwt.
>
> From zeppelin:
> DEBUG [2023-05-31 00:12:18,700] ({qtp1521083627-118}
> AuthenticatingRealm.java[getAuthenticationInfo]:583) - No
> AuthenticationInfo found for submitted AuthenticationToken
> [org.apache.zeppelin.realm.jwt.JWTAuthenticationToken@3924c982].
> Returning null.
> org.apache.shiro.authc.UnknownAccountException: Realm
> [org.apache.zeppelin.realm.jwt.KnoxJwtRealm@31a2833d] was unable to find
> account data for the submitted AuthenticationToken
> [org.apache.zeppelin.realm.jwt.JWTAuthenticationToken@3924c982].
>
> The shiro.ini:
>
> [main]
> ### A sample for configuring Knox JWT Realm
> knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
> ## Domain of Knox SSO
> knoxJwtRealm.providerUrl = https://knoxsso.domain:8443/
> knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
> knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
> knoxJwtRealm.logoutAPI = true
> knoxJwtRealm.redirectParam = originalUrl
> knoxJwtRealm.cookieName = hadoop-jwt
> knoxJwtRealm.publicKeyPath = /etc/pki/tls/certs/ae-emr-sso.crt
> # This is required if KNOX SSO is enabled, to check if
> "knoxJwtRealm.cookieName" cookie was expired/deleted.
> authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
> anyofrolesuser =
> org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = JSESSIONID
> cookie.secure = false
> cookie.httpOnly = false
> sessionManager.sessionIdCookie = $cookie
>
> securityManager.sessionManager = $sessionManager
> # 86,400,000 milliseconds = 24 hour
> securityManager.sessionManager.globalSessionTimeout = 86400000
> shiro.loginUrl = /api/login
>
>
> [urls]
> /api/version = anon
> /api/interpreter/setting/restart/** = authc
> /api/interpreter/** = authc, anyofrolesuser[admin, nrutland]
> /api/configurations/** = anyofrolesuser[admin, nrutland]
> /api/credential/** = anyofrolesuser[admin, nrutland]
> /** = authc
>
>

-- 
이종열, Jongyoul Lee, 李宗烈
http://madeng.net

Reply via email to