mmukhe
mmukhe

Reputation: 668

zeppelin | AD Groups | Roles

I am trying to get users logging into Zeppelin be allocated to roles/groups using AD Groups.

The user attempting to login is - srv-airflowadmin, who is a member of the 'Test-Application-Hadoop-Admin' AD group.

The logs show a successful authentication, but the role (in this case 'admin') isn't being allocated -

 WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}

The debug logs show up as follows -

DEBUG [2018-08-01 04:29:46,816] ({qtp1286783232-42} AuthenticatingRealm.java[getAuthenticationInfo]:569) - Looked up AuthenticationInfo [srv-airflowadmin] from doGetAuthenticationInfo
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} AuthenticatingRealm.java[cacheAuthenticationInfoIfPossible]:507) - AuthenticationInfo caching is disabled for info [srv-airflowadmin].  Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:95) - Performing credentials equality check for tokenCredentials of type [[C and accountCredentials of type [[C]
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:101) - Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} AbstractAuthenticator.java[authenticate]:231) - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].  Returned account [srv-airflowadmin]
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSecurityManager.java[resolveSession]:436) - Context already contains a session.  Returning.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} SimpleCookie.java[addCookieHeader]:226) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 31-Jul-2018 04:29:46 GMT]
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} AbstractRememberMeManager.java[onSuccessfulLogin]:300) - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
 WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_CONFIGURATIONS
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_NOTES
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << GET_HOME_NOTE
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:50,055] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << PING
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []

The configuration I am using is -

[main]
# authentication settings
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.searchBase = DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.url = ldap://a.b.c.d:389
activeDirectoryRealm.systemUsername = CN=srv-abc,OU=Service Accounts,OU=Security Principles,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.systemPassword = myAmazingPassword
activeDirectoryRealm.principalSuffix = @test.abc.com
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.groupRolesMap = "CN=Test-Application-Hadoop-Admin,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"admin","CN=Test-Application-Hadoop-Users,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"developer"

# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
# securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.realms = $activeDirectoryRealm
shiro.loginUrl = /api/login

[roles]
admin = *
developer = *

[urls]
# authentication method and access control filters
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
# /** = anon
/** = authc

What am I missing? Can someone please help me with this?

Cheers!

Upvotes: 0

Views: 731

Answers (2)

mmukhe
mmukhe

Reputation: 668

There were 2 things which I needed to do to make this work

  • Upgrade Zeppelin to 0.8.0
  • Max's answer above to just use a name for 'systemUsername'

Upvotes: 0

Max Belousov
Max Belousov

Reputation: 353

"systemUsername" is just a name. Remove other attributes.

Upvotes: 1

Related Questions