齐柏林飞艇 |广告组 |角色

【问题标题】:zeppelin | AD Groups | Roles齐柏林飞艇 |广告组 |角色
【发布时间】:2019-01-08 13:30:33
【问题描述】:

我正在尝试使用 AD 组将登录到 Zeppelin 的用户分配到角色/组。

尝试登录的用户是 - srv-airflowadmin,他是“Test-Application-Hadoop-Admin”AD 组的成员。

日志显示身份验证成功,但未分配角色(在本例中为“管理员”)-

 WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}

调试日志显示如下-

DEBUG [2018-08-01 04:29:46,816] ({qtp1286783232-42} AuthenticatingRealm.java[getAuthenticationInfo]:569) - Looked up AuthenticationInfo [srv-airflowadmin] from doGetAuthenticationInfo
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} AuthenticatingRealm.java[cacheAuthenticationInfoIfPossible]:507) - AuthenticationInfo caching is disabled for info [srv-airflowadmin].  Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:95) - Performing credentials equality check for tokenCredentials of type [[C and accountCredentials of type [[C]
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:101) - Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} AbstractAuthenticator.java[authenticate]:231) - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].  Returned account [srv-airflowadmin]
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSecurityManager.java[resolveSession]:436) - Context already contains a session.  Returning.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} SimpleCookie.java[addCookieHeader]:226) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 31-Jul-2018 04:29:46 GMT]
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} AbstractRememberMeManager.java[onSuccessfulLogin]:300) - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
 WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_CONFIGURATIONS
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_NOTES
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << GET_HOME_NOTE
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:50,055] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << PING
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []

我使用的配置是-

[main]
# authentication settings
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.searchBase = DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.url = ldap://a.b.c.d:389
activeDirectoryRealm.systemUsername = CN=srv-abc,OU=Service Accounts,OU=Security Principles,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.systemPassword = myAmazingPassword
activeDirectoryRealm.principalSuffix = @test.abc.com
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.groupRolesMap = "CN=Test-Application-Hadoop-Admin,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"admin","CN=Test-Application-Hadoop-Users,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"developer"

# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
# securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.realms = $activeDirectoryRealm
shiro.loginUrl = /api/login

[roles]
admin = *
developer = *

[urls]
# authentication method and access control filters
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
# /** = anon
/** = authc

我错过了什么?有人可以帮我解决这个问题吗?

干杯!

【问题讨论】:

    标签: ldap hdfs apache-zeppelin rbac


    【解决方案1】:

    “systemUsername”只是一个名字。移除其他属性。

    【讨论】:

    • 谢谢马克斯。我试过了 - 没有效果。猜猜这些是它用于 LDAP 绑定的参数 - 无论如何这都是正确的。
    【解决方案2】:

    要完成这项工作,我需要做两件事

    • 将 Zeppelin 升级到 0.8.0
    • 上面 Max 的回答只是为 'systemUsername' 使用名称

    【讨论】:

      猜你喜欢
      • 2017-12-24
      • 2021-07-14
      • 2016-04-16
      • 2019-02-08
      • 1970-01-01
      • 2016-02-16
      • 2017-08-03
      • 2019-11-01
      • 2018-08-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode