Invite to Slack? shiro realm not accepting jwt token

Wed, 31 May 2023 09:17:36 -0700 

I'd like to get an invite to the Slack channel for apache zeppelin.  I'm 
working a tough shiro config to get PIV / SAML login working into Zeppelin 0.10 
on AWS EMR.  Everything looks okay with the saml request and response through 
Apache Knox.  But when the jwt gets back to zeppelin (after the redirect to 
knox and idp), it's saying the realm can't accept the jwt.

>From zeppelin:
DEBUG [2023-05-31 00:12:18,700] ({qtp1521083627-118} 
AuthenticatingRealm.java[getAuthenticationInfo]:583) - No AuthenticationInfo 
found for submitted AuthenticationToken 
[org.apache.zeppelin.realm.jwt.JWTAuthenticationToken@3924c982].  Returning 
null.
org.apache.shiro.authc.UnknownAccountException: Realm 
[org.apache.zeppelin.realm.jwt.KnoxJwtRealm@31a2833d] was unable to find 
account data for the submitted AuthenticationToken 
[org.apache.zeppelin.realm.jwt.JWTAuthenticationToken@3924c982].

The shiro.ini:

[main]
### A sample for configuring Knox JWT Realm
knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
## Domain of Knox SSO
knoxJwtRealm.providerUrl = https://knoxsso.domain:8443/
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/pki/tls/certs/ae-emr-sso.crt
# This is required if KNOX SSO is enabled, to check if 
"knoxJwtRealm.cookieName" cookie was expired/deleted.  
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.secure = false
cookie.httpOnly = false
sessionManager.sessionIdCookie = $cookie

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login


[urls]
/api/version = anon
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, anyofrolesuser[admin, nrutland]
/api/configurations/** = anyofrolesuser[admin, nrutland]
/api/credential/** = anyofrolesuser[admin, nrutland]
/** = authc

Reply via email to