You need to use one of them either users block or LDAP/AD.
On Wed, 31 Oct 2018 at 9:39 Eyal Hashai <eyal.has...@kenshoo.com> wrote:
>
> When I try to allow both LDAP auth mechanism and uncomment [users] to add
> a specific user I get this except and zeppelin won't start:
>
>
> TRACE [2018-10-31 07:34:10,137] ({main} ThreadContext.java[get]:126) -
> get() - in thread [main]
> WARN [2018-10-31 07:34:10,138] ({main} ContextHandler.java[log]:2062) -
> unavailable
> MultiException stack 1 of 1
> java.lang.Exception: IniRealm/password based auth mechanisms should be
> exclusive. Consider removing [users] block from shiro.ini
> at
> org.apache.zeppelin.server.ZeppelinServer.<init>(ZeppelinServer.java:112)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at
> org.glassfish.hk2.utilities.reflection.ReflectionHelper.makeMe(ReflectionHelper.java:1375)
> at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1083)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
> at
> org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
> at
> org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
> at
> org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
> at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
> at
> org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
> at
> org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
> at
> org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
> at javax.servlet.GenericServlet.init(GenericServlet.java:244)
> at
> org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
> at
> org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
> at
> org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
> at
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
> at
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
> at
> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at org.eclipse.jetty.server.Server.start(Server.java:387)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at org.eclipse.jetty.server.Server.doStart(Server.java:354)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
> DEBUG [2018-10-31 07:34:10,139] ({main}
> ServletHandler.java[initialize]:875) - EXCEPTION
> javax.servlet.ServletException: rest@355bd4
> ==org.glassfish.jersey.servlet.ServletContainer,-1,false
> at
> org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:637)
> at
> org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:396)
> at
> org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:871)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298)
> at
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
> at
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
> at
> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at org.eclipse.jetty.server.Server.start(Server.java:387)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at org.eclipse.jetty.server.Server.doStart(Server.java:354)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)
> Caused by: A MultiException has 1 exceptions. They are:
> 1. java.lang.Exception: IniRealm/password based auth mechanisms should be
> exclusive. Consider removing [users] block from shiro.ini
>
> at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1085)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:978)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1082)
> at
> org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1074)
> at
> org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:213)
> at
> org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.createAndInitialize(ImmediateHk2InjectionManager.java:54)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.createApplication(ApplicationConfigurator.java:138)
> at
> org.glassfish.jersey.server.ApplicationConfigurator.init(ApplicationConfigurator.java:96)
> at
> org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$0(ApplicationHandler.java:313)
> at java.util.Arrays$ArrayList.forEach(Arrays.java:3880)
> at
> org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:313)
> at
> org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:282)
> at
> org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:335)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:178)
> at
> org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:370)
> at javax.servlet.GenericServlet.init(GenericServlet.java:244)
> at
> org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:616)
> ... 20 more
>
>
> On Mon, Oct 29, 2018 at 11:15 PM Fawze Abujaber <fawz...@gmail.com> wrote:
>
>> Hi Eyal,
>>
>> I think using the LDAP or AD you can do the map between group and role
>> while using the users section allowing you to assign a user with a role and
>> in the urls section you can provide this role with specific permissions.
>> Are you trying to allow some users to be able to trigger restart and
>> change conf while other not?
>> Using the users and url sections can provide you with this functionality.
>>
>> [users]
>> eyal = eyal, admin
>> fawze= fawze, member
>>
>> eyal has a role called admin and fawze is a member
>>
>> [urls]
>> /api/interpreter/** = authc, roles[admin]
>> /api/configurations/** = authc, roles[admin]
>> /api/credential/** = authc, roles[admin]
>>
>> Only user with admin role can access the mentioned apis, if you would
>> like allowing the users with member role to have an access to the apis then
>> you need to add this in the urls.
>>
>> I'm not sure if this is what you are looking for ....
>>
>> Please monitor the queries that triggered through zeppelin and check if
>> they are are passing user name to impala so you can monitor these queries
>> through Cloudera manager ...
>>
>> On Mon, Oct 29, 2018 at 3:11 PM Eyal Hashai <eyal.has...@kenshoo.com>
>> wrote:
>>
>>>
>>> Dear Fawze,
>>> Thanks for taking the time to reply!
>>> Unfortunately this solution did not work.. can you explain how it assign
>>> roles to a group?
>>> I wouldn't mind having a manually inserted user (e.g. admin\admin) but
>>> Zeppelin doesn't seem to start if you have both LDAP and [user] configured.
>>>
>>> Thank you.
>>>
>>>
>>>
>>> On Mon, Oct 29, 2018 at 12:36 PM Fawze Abujaber <fawz...@gmail.com>
>>> wrote:
>>>
>>>> Hi Eyal,
>>>>
>>>> I think this should be your seachbase:
>>>>
>>>> ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>>
>>>>
>>>> and you should comment
>>>> ldapRealm.rolesByGroup = bigdata: admin
>>>>
>>>> On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <eyal.has...@kenshoo.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>> I've connected my Zeppelin server via LDAP for user authentication.
>>>>> This works fine for auth, the problem is that I can't figure how roles
>>>>> are attached to a user, I need to set "bigdata" group as admins,
>>>>> Over the past week I have tried many different configurations and
>>>>> searched online for a solution without success.
>>>>>
>>>>> Does anyone have experience with this?
>>>>> Any information or link would be highly appreciated!
>>>>>
>>>>> Thank you
>>>>>
>>>>> *shiro.ini:*
>>>>>
>>>>> ### A sample for configuring LDAP Directory Realm
>>>>> ldapRealm = org.apache.zeppelin.realm.LdapRealm
>>>>> ldapRealm.contextFactory.url = ldap://1.2.3.4:389
>>>>> ldapRealm.userDnTemplate = {0}@kenshooprd.local
>>>>> ldapRealm.contextFactory.authenticationMechanism = simple
>>>>> ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local"
>>>>> ldapRealm.contextFactory.systemPassword = XXXXXXX
>>>>> ldapRealm.authorizationEnabled = true
>>>>> ldapRealm.rolesByGroup =
>>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>>> ldapRealm.rolesByGroup = bigdata: admin
>>>>> ldapRealm.groupSearchBase =
>>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin"
>>>>> securityManager.realms = $ldapRealm
>>>>> ldapRealm.groupSearchEnableMatchingRuleInChain = true
>>>>>
>>>>>
>>>>> *Logs:*
>>>>>
>>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>>> ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 -
>>>>> /api/login]
>>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>>> ThreadContext.java[get]:133) - Retrieved value of type
>>>>> [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
>>>>> [org.apache.shiro.util.ThreadContext_SUBJECT_KEY]
>>>>> bound to thread [qtp1418428263-15 - /api/login]
>>>>> TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login}
>>>>> DelegatingSubject.java[getSession]:317) - attempting to get session;
>>>>> create
>>>>> = false; session is null = false; session has id = true
>>>>> TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login}
>>>>> AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to
>>>>> retrieve session with key
>>>>> org.apache.shiro.web.session.mgt.WebSessionKey@2573f425
>>>>> WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login}
>>>>> LoginRestApi.java[postLogin]:206) -
>>>>> {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817",
>>>>> "roles":"[]"}}
>>>>> DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login}
>>>>> HttpConnection.java[process]:657) -
>>>>> org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1
>>>>> 200 OK,118,false},cb=org.eclipse.jetty
>>>>> .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER
>>>>> (null,[p=0,l=118,c=8192,r=118],true)@START
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> Parser.java[parse]:257) - SERVER Parsed Frame:
>>>>> TEXT[len=109,fin=true,rsv=...,masked=true]
>>>>>
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> Parser.java[notifyFrame]:186) - SERVER Notify
>>>>> ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection]
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> AbstractEventDriver.java[incomingFrame]:103) -
>>>>> incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true])
>>>>> DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12}
>>>>> NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS,
>>>>> RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET <<
>>>>> 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE
>>>>> DATA << null
>>>>> TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12}
>>>>> NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null,
>>>>> op=LIST_CONFIGURATIONS}
>>>>> DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12}
>>>>> WebSocketRemoteEndpoint.java[sendString]:385) - sendString with
>>>>> HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op":
>>>>> "CONFIG... "roles": ""\n}>>>}
>>>>> DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12}
>>>>> ExtensionStack.java[outgoingFrame]:288) - Queuing
>>>>> TEXT[len=6199,fin=true,rsv=...,masked=false]
>>>>>
>>>>>
>>>>> *LDAP settings for user:*
>>>>>
>>>>> [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D
>>>>> ldap@kenshooprd.local -w xxxxx -b
>>>>> "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local"
>>>>> dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>>> objectClass: top
>>>>> objectClass: group
>>>>> cn: bigdata
>>>>> member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local
>>>>> distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local
>>>>> instanceType: 4
>>>>> whenCreated: 20161129171457.0Z
>>>>> whenChanged: 20181004121722.0Z
>>>>> uSNCreated: 93111898
>>>>> uSNChanged: 276782631
>>>>> name: bigdata
>>>>> objectGUID:: bBMye2mox0+hDkddqds1+g==
>>>>> objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA==
>>>>> sAMAccountName: bigdata
>>>>> sAMAccountType: 268435456
>>>>> groupType: -2147483646
>>>>> objectCategory:
>>>>> CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local
>>>>> dSCorePropagationData: 20170723142935.0Z
>>>>> dSCorePropagationData: 20170723142620.0Z
>>>>> dSCorePropagationData: 16010101000417.0Z
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>> *[ Eyal Hashai ]*
>>>>> Database Administrator - Big Data Team // *Kenshoo*
>>>>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>>>>> <eyal.has...@kenshoo.com>*
>>>>> *eyal.has...@kenshoo.com <eyal.has...@kenshoo.com>*
>>>>> <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>*
>>>>> _______________________________________
>>>>> *www.Kenshoo.com* <http://kenshoo.com/>
>>>>>
>>>>> * <eyal.has...@kenshoo.com>*
>>>>> <http://kenshoo.com/>
>>>>>
>>>>> This e-mail, as well as any attached document, may contain material
>>>>> which is confidential and privileged and may include trademark, copyright
>>>>> and other intellectual property rights that are proprietary to Kenshoo
>>>>> Ltd,
>>>>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>>>>> attachments may be read, copied and used only by the addressee for the
>>>>> purpose(s) for which it was disclosed herein. If you have received it in
>>>>> error, please destroy the message and any attachment, and contact us
>>>>> immediately. If you are not the intended recipient, be aware that any
>>>>> review, reliance, disclosure, copying, distribution or use of the contents
>>>>> of this message without Kenshoo's express permission is strictly
>>>>> prohibited.
>>>>
>>>>
>>>>
>>>> --
>>>> Take Care
>>>> Fawze Abujaber
>>>>
>>>
>>>
>>> --
>>>
>>>
>>> *[ Eyal Hashai ]*
>>> Database Administrator - Big Data Team // *Kenshoo*
>>> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
>>> <eyal.has...@kenshoo.com>*
>>> *eyal.has...@kenshoo.com <eyal.has...@kenshoo.com>*
>>> <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>*
>>> _______________________________________
>>> *www.Kenshoo.com* <http://kenshoo.com/>
>>>
>>> * <eyal.has...@kenshoo.com>*
>>> <http://kenshoo.com/>
>>>
>>> This e-mail, as well as any attached document, may contain material
>>> which is confidential and privileged and may include trademark, copyright
>>> and other intellectual property rights that are proprietary to Kenshoo Ltd,
>>> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
>>> attachments may be read, copied and used only by the addressee for the
>>> purpose(s) for which it was disclosed herein. If you have received it in
>>> error, please destroy the message and any attachment, and contact us
>>> immediately. If you are not the intended recipient, be aware that any
>>> review, reliance, disclosure, copying, distribution or use of the contents
>>> of this message without Kenshoo's express permission is strictly prohibited.
>>
>>
>>
>> --
>> Take Care
>> Fawze Abujaber
>>
>
>
> --
>
>
> *[ Eyal Hashai ]*
> Database Administrator - Big Data Team // *Kenshoo*
> *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473*
> <eyal.has...@kenshoo.com>*
> *eyal.has...@kenshoo.com <eyal.has...@kenshoo.com>*
> <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>*
> _______________________________________
> *www.Kenshoo.com* <http://kenshoo.com/>
>
> * <eyal.has...@kenshoo.com>*
> <http://kenshoo.com/>
>
> This e-mail, as well as any attached document, may contain material which
> is confidential and privileged and may include trademark, copyright and
> other intellectual property rights that are proprietary to Kenshoo Ltd,
> its subsidiaries or affiliates ("Kenshoo"). This e-mail and its
> attachments may be read, copied and used only by the addressee for the
> purpose(s) for which it was disclosed herein. If you have received it in
> error, please destroy the message and any attachment, and contact us
> immediately. If you are not the intended recipient, be aware that any
> review, reliance, disclosure, copying, distribution or use of the contents
> of this message without Kenshoo's express permission is strictly prohibited.
--
Take Care
Fawze Abujaber
