Shiro AD auth - unable to use jceks

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Shiro AD auth - unable to use jceks

cs user
Hello, 

Can someone explain how the shiro.ini config should look when trying to encrypt the AD password?

We have the following config:

activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.url = ldaps://some.address.com:636
activeDirectoryRealm.searchBase = DC=top,DC=domain,DC=sub,DC=com
activeDirectoryRealm.groupRolesMap = "CN=GROUP,OU=some,OU=location,OU=folder,DC=top,DC=domain,DC=sub,DC=com”:”someuser”
activeDirectoryRealm.systemUsername = some.account
# Password commented out
#activeDirectoryRealm.systemPassword = passwordnotused
activeDirectoryRealm.hadoopSecurityCredentialPath = "jceks://file/tmp/zeppelin/conf/zeppelin.jceks"
activeDirectoryRealm.principalSuffix=@some.sub.com
activeDirectoryRealm.authorizationCachingEnabled = false

However it doesn't appear to be using the credential which is stored in the jceks file. 

The file was created using the following command:

hadoop credential create activeDirectoryRealm.systemPassword -provider jceks://file/tmp/zeppelin/conf/zeppelin.jceks 

The file is owned by zeppelin. 

I've tried created the credential with both  "systemPassword" and "systempassword" as the name. 

Everything works fine if I just use the plain text password. I'm using Zeppelin version 0.7.0. 

What am I missing here? Does anyone have an example config which is working for them? I've check the logs and there are no errors relating to loading the above jceks file. 

Thanks!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro AD auth - unable to use jceks

cs user
Bump....

Has anyone managed to get this working? 

On Thu, Jul 20, 2017 at 11:37 AM, cs user <[hidden email]> wrote:
Hello, 

Can someone explain how the shiro.ini config should look when trying to encrypt the AD password?

We have the following config:

activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.url = ldaps://some.address.com:636
activeDirectoryRealm.searchBase = DC=top,DC=domain,DC=sub,DC=com
activeDirectoryRealm.groupRolesMap = "CN=GROUP,OU=some,OU=location,OU=folder,DC=top,DC=domain,DC=sub,DC=com”:”someuser”
activeDirectoryRealm.systemUsername = some.account
# Password commented out
#activeDirectoryRealm.systemPassword = passwordnotused
activeDirectoryRealm.hadoopSecurityCredentialPath = "jceks://file/tmp/zeppelin/conf/zeppelin.jceks"
activeDirectoryRealm.principalSuffix=@some.sub.com
activeDirectoryRealm.authorizationCachingEnabled = false

However it doesn't appear to be using the credential which is stored in the jceks file. 

The file was created using the following command:

hadoop credential create activeDirectoryRealm.systemPassword -provider jceks://file/tmp/zeppelin/conf/zeppelin.jceks 

The file is owned by zeppelin. 

I've tried created the credential with both  "systemPassword" and "systempassword" as the name. 

Everything works fine if I just use the plain text password. I'm using Zeppelin version 0.7.0. 

What am I missing here? Does anyone have an example config which is working for them? I've check the logs and there are no errors relating to loading the above jceks file. 

Thanks!

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro AD auth - unable to use jceks

Richard Xin

we have Zeppelin instance on aws emr, we didn't experience any issues with jceks



On Monday, July 24, 2017, 11:57:16 PM PDT, cs user <[hidden email]> wrote:


Bump....

Has anyone managed to get this working? 

On Thu, Jul 20, 2017 at 11:37 AM, cs user <[hidden email]> wrote:
Hello, 

Can someone explain how the shiro.ini config should look when trying to encrypt the AD password?

We have the following config:

activeDirectoryRealm = org.apache.zeppelin.realm. ActiveDirectoryGroupRealm
activeDirectoryRealm.url = ldaps://<a rel="nofollow" shape="rect" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href="http://some.address.com:636">some.address.com:636
activeDirectoryRealm. searchBase = DC=top,DC=domain,DC=sub,DC=com
activeDirectoryRealm. groupRolesMap = "CN=GROUP,OU=some,OU=location, OU=folder,DC=top,DC=domain,DC= sub,DC=com”:”someuser”
activeDirectoryRealm. systemUsername = some.account
# Password commented out
#activeDirectoryRealm. systemPassword = passwordnotused
activeDirectoryRealm. hadoopSecurityCredentialPath = "jceks://file/tmp/zeppelin/ conf/zeppelin.jceks"
activeDirectoryRealm. principalSuffix=@some.sub.com
activeDirectoryRealm. authorizationCachingEnabled = false

However it doesn't appear to be using the credential which is stored in the jceks file. 

The file was created using the following command:

hadoop credential create activeDirectoryRealm. systemPassword -provider jceks://file/tmp/zeppelin/ conf/zeppelin.jceks 

The file is owned by zeppelin. 

I've tried created the credential with both  "systemPassword" and "systempassword" as the name. 

Everything works fine if I just use the plain text password. I'm using Zeppelin version 0.7.0. 

What am I missing here? Does anyone have an example config which is working for them? I've check the logs and there are no errors relating to loading the above jceks file. 

Thanks!

Loading...