我正在尝试使用AD组将登录Zeppelin的用户分配给角色/组。
尝试登录的用户是-srv-airflowadmin,他是“ Test-Application-Hadoop-Admin” AD组的成员。
日志显示身份验证成功,但是未分配角色(在本例中为“ admin”)-
WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}
调试日志显示如下-
DEBUG [2018-08-01 04:29:46,816] ({qtp1286783232-42} AuthenticatingRealm.java[getAuthenticationInfo]:569) - Looked up AuthenticationInfo [srv-airflowadmin] from doGetAuthenticationInfo
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} AuthenticatingRealm.java[cacheAuthenticationInfoIfPossible]:507) - AuthenticationInfo caching is disabled for info [srv-airflowadmin]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:95) - Performing credentials equality check for tokenCredentials of type [[C and accountCredentials of type [[C]
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:101) - Both credentials arguments can be easily converted to byte arrays. Performing array equals comparison
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} AbstractAuthenticator.java[authenticate]:231) - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false]. Returned account [srv-airflowadmin]
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSecurityManager.java[resolveSession]:436) - Context already contains a session. Returning.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} SimpleCookie.java[addCookieHeader]:226) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 31-Jul-2018 04:29:46 GMT]
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} AbstractRememberMeManager.java[onSuccessfulLogin]:300) - AuthenticationToken did not indicate RememberMe is requested. RememberMe functionality will not be executed for corresponding account.
WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_CONFIGURATIONS
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_NOTES
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << GET_HOME_NOTE
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:50,055] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << PING
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
我正在使用的配置是-
[main]
# authentication settings
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.searchBase = DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.url = ldap://a.b.c.d:389
activeDirectoryRealm.systemUsername = CN=srv-abc,OU=Service Accounts,OU=Security Principles,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.systemPassword = myAmazingPassword
activeDirectoryRealm.principalSuffix = @test.abc.com
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.groupRolesMap = "CN=Test-Application-Hadoop-Admin,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"admin","CN=Test-Application-Hadoop-Users,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"developer"
# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
# securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.realms = $activeDirectoryRealm
shiro.loginUrl = /api/login
[roles]
admin = *
developer = *
[urls]
# authentication method and access control filters
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
# /** = anon
/** = authc
我想念什么?有人可以帮我吗?
干杯!
答案 0 :(得分:1)
“ systemUsername”只是一个名称。删除其他属性。
答案 1 :(得分:0)
要完成这项工作,我需要做两件事