Hello Rutland, I invited you to slack.
BTW, I'm not using Know now so I couldn't help you but how about mankind jira issue to report it if it's a bug? Regards, Jongyoul 2023년 6월 1일 (목) 오전 1:17, Rutland, Nathan (CTR) < nathan.rutl...@mail.associates.cisa.dhs.gov>님이 작성: > I'd like to get an invite to the Slack channel for apache zeppelin. I'm > working a tough shiro config to get PIV / SAML login working into Zeppelin > 0.10 on AWS EMR. Everything looks okay with the saml request and response > through Apache Knox. But when the jwt gets back to zeppelin (after the > redirect to knox and idp), it's saying the realm can't accept the jwt. > > From zeppelin: > DEBUG [2023-05-31 00:12:18,700] ({qtp1521083627-118} > AuthenticatingRealm.java[getAuthenticationInfo]:583) - No > AuthenticationInfo found for submitted AuthenticationToken > [org.apache.zeppelin.realm.jwt.JWTAuthenticationToken@3924c982]. > Returning null. > org.apache.shiro.authc.UnknownAccountException: Realm > [org.apache.zeppelin.realm.jwt.KnoxJwtRealm@31a2833d] was unable to find > account data for the submitted AuthenticationToken > [org.apache.zeppelin.realm.jwt.JWTAuthenticationToken@3924c982]. > > The shiro.ini: > > [main] > ### A sample for configuring Knox JWT Realm > knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm > ## Domain of Knox SSO > knoxJwtRealm.providerUrl = https://knoxsso.domain:8443/ > knoxJwtRealm.login = gateway/knoxsso/api/v1/websso > knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout > knoxJwtRealm.logoutAPI = true > knoxJwtRealm.redirectParam = originalUrl > knoxJwtRealm.cookieName = hadoop-jwt > knoxJwtRealm.publicKeyPath = /etc/pki/tls/certs/ae-emr-sso.crt > # This is required if KNOX SSO is enabled, to check if > "knoxJwtRealm.cookieName" cookie was expired/deleted. > authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter > anyofrolesuser = > org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter > > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > cookie = org.apache.shiro.web.servlet.SimpleCookie > cookie.name = JSESSIONID > cookie.secure = false > cookie.httpOnly = false > sessionManager.sessionIdCookie = $cookie > > securityManager.sessionManager = $sessionManager > # 86,400,000 milliseconds = 24 hour > securityManager.sessionManager.globalSessionTimeout = 86400000 > shiro.loginUrl = /api/login > > > [urls] > /api/version = anon > /api/interpreter/setting/restart/** = authc > /api/interpreter/** = authc, anyofrolesuser[admin, nrutland] > /api/configurations/** = anyofrolesuser[admin, nrutland] > /api/credential/** = anyofrolesuser[admin, nrutland] > /** = authc > > -- 이종열, Jongyoul Lee, 李宗烈 http://madeng.net