Active Directory do not mapped roles correctly

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Active Directory do not mapped roles correctly

bembi prima
This post was updated on .
Hi,

I manage to enable Active Directory by update shiro.ini
But there is issue coming from this. I cannot access interpreter, no one can even access interpreter.

This is my shiro.ini

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
#bembi = password, admin
#prima = password, user

# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = username
activeDirectoryRealm.systemPassword = password
activeDirectoryRealm.searchBase = "OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io"
activeDirectoryRealm.url = ldap://1.2.3.4:389
activeDirectoryRealm.groupRolesMap = "CN=Zeppelin-Admin,OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io":"admin","CN=Zeppelin-User,OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io":"user"
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.principalSuffix= @dattabot.io
securityManager.realms = $activeDirectoryRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = admin
user = user

[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc

When I investigate the log file, it seems that the roles does not mapped correctly. This is log when I use static user :
 INFO [2017-07-12 09:48:23,137] ({qtp1211076369-78} NotebookServer.java[onOpen]:156) - New connection from 1.2.3.4 : 30380
 WARN [2017-07-12 09:48:30,167] ({qtp1211076369-90} LoginRestApi.java[postLogin]:115) - {"status":"OK","message":"","body":{"principal":"bembi","ticket":"9596dd7a-1f60-4c4f-a66a-040b4135f54f","roles":"[admin]"}}

And this is log when Active Directory is enabled:
 INFO [2017-07-12 09:49:52,063] ({qtp1211076369-18} NotebookServer.java[onOpen]:156) - New connection from 1.2.3.4 : 30389
 WARN [2017-07-12 09:50:02,717] ({qtp1211076369-14} LoginRestApi.java[postLogin]:115) - {"status":"OK","message":"","body":{"principal":"bembi.prima","ticket":"0ec9a345-53a9-4220-bf5f-a68092cea673","roles":"[]"}}

What is wrong with my configuration?

Thanks,
Bembi


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory do not mapped roles correctly

cs user
Hi There, 

I too had some difficulty trying to get this to work. I compared your config to ours, it all appears to be fine. Only thing I can see we have different which might affect it, is this section:

activeDirectoryRealm.searchBase = "OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io"

Instead we have something similar to:

activeDirectoryRealm.searchBase = DC=dattabot,DC=io

( I doubt the double quotes make any difference at all but that is how we have it )

Can you give that a try to see if it works?






On Wed, Jul 12, 2017 at 10:54 AM, bembi prima <[hidden email]> wrote:
Hi,

I manage to enable Active Directory by update shiro.ini
But there is issue coming from this. I cannot access interpreter, even no
one cannot access interpreter.

This is my shiro.ini

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at
<a href="http://shiro.apache.org/configuration.html#Configuration-INISections #bembi" rel="noreferrer" target="_blank">http://shiro.apache.org/configuration.html#Configuration-INISections
#bembi = password, admin
#prima = password, user

# Sample LDAP configuration, for user Authentication, currently tested for
single Realm
[main]
### A sample for configuring Active Directory Realm
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = username
activeDirectoryRealm.systemPassword = password
activeDirectoryRealm.searchBase =
"OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io"
activeDirectoryRealm.url = ldap://1.2.3.4:389
activeDirectoryRealm.groupRolesMap =
"CN=Zeppelin-Admin,OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io":"admin","CN=Zeppelin-User,OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io":"user"
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.principalSuffix= @dattabot.io
securityManager.realms = $activeDirectoryRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = admin
user = user

[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by
urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc

When I investigate the log file, it seems that the roles does not mapped
correctly. This is log when I use static user :
 INFO [2017-07-12 09:48:23,137] ({qtp1211076369-78}
NotebookServer.java[onOpen]:156) - New connection from 1.2.3.4 : 30380
 WARN [2017-07-12 09:48:30,167] ({qtp1211076369-90}
LoginRestApi.java[postLogin]:115) -
{"status":"OK","message":"","body":{"principal":"bembi","ticket":"9596dd7a-1f60-4c4f-a66a-040b4135f54f",*"roles":"[admin]"*}}

And this is log when Active Directory is enabled:
 INFO [2017-07-12 09:49:52,063] ({qtp1211076369-18}
NotebookServer.java[onOpen]:156) - New connection from 1.2.3.4 : 30389
 WARN [2017-07-12 09:50:02,717] ({qtp1211076369-14}
LoginRestApi.java[postLogin]:115) -
{"status":"OK","message":"","body":{"principal":"bembi.prima","ticket":"0ec9a345-53a9-4220-bf5f-a68092cea673",*"roles":"[]"*}}






--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Active-Directory-do-not-mapped-roles-correctly-tp5989.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory do not mapped roles correctly

bembi prima
In reply to this post by bembi prima
Sorry for the late reply.

I already tinker many things on the Shiro configuration (omitting or adding quote, removing OUs, changing searchbase), but none has successfully resolve my issue.

I already search the web, one person seems to be having the same issue, but no solution on that.
https://stackoverflow.com/questions/40644145/apache-zeppelin-ad-ldap-realm

Right now my temporary solution is having two simultaneous realms, IniRealm and ActiveDirectoryGroupRealm. ActiveDirectoryGroupRealm handles official credentials, and IniRealm handles small static admin credential.

Is there anyone who have same issue as me?
Loading...