Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-22538

API doesn't seem to handle shiro_ini_content properly

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.6.0
    • Fix Version/s: None
    • Component/s: ambari-server, blueprints
    • Labels:
      None
    • Environment:

      CentOS 7.4
      ambari-server 2.6.0.0-267
      Zeppelin Notebook 0.7.3

      Description

      I'm trying to pass a shiro.ini file via the API (both blueprint and single config setting) to the shiro_ini_content key of the zeppelin-shiro-ini configuration.

      When the file is passed in, the newline characters (\n) are expressed literally instead of being converted to actual new lines.

      The easiest way to test on an existing cluster is with the configs.py script.

      [root@localhost ~]# /var/lib/ambari-server/resources/scripts/configs.py -a get -l localhost -n mycluster -c zeppelin-shiro-ini -u admin -p admin
      
      {
        "properties": {
          "shiro_ini_content": "\n[users]\n# List of users with their password allowed to access Zeppelin.\n# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections\nadmin = admin, admin\nuser1 = user1, role1, role2\nuser2 = user2, role3\nuser3 = user3, role2\n\n# Sample LDAP configuration, for user Authentication, currently tested for single Realm\n[main]\n### A sample for configuring Active Directory Realm\n#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm\n#activeDirectoryRealm.systemUsername = userNameA\n\n#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html\n#activeDirectoryRealm.systemPassword = passwordA\n#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks\n#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM\n#activeDirectoryRealm.url = ldap://ldap.test.com:389\n#activeDirectoryRealm.groupRolesMap = \"CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"admin\",\"CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"finance\",\"CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"hr\"\n#activeDirectoryRealm.authorizationCachingEnabled = false\n\n### A sample for configuring LDAP Directory Realm\n#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm\n## search base for ldap groups (only relevant for LdapGroupRealm):\n#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.url = ldap://ldap.test.com:389\n#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.authenticationMechanism = SIMPLE\n\n### A sample PAM configuration\n#pamRealm=org.apache.zeppelin.realm.PamRealm\n#pamRealm.service=sshd\n\n\nsessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager\n### If caching of user is required then uncomment below lines\ncacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager\nsecurityManager.cacheManager = $cacheManager\n\ncookie = org.apache.shiro.web.servlet.SimpleCookie\ncookie.name = JSESSIONID\n#Uncomment the line below when running Zeppelin-Server in HTTPS mode\n#cookie.secure = true\ncookie.httpOnly = true\nsessionManager.sessionIdCookie = $cookie\n\nsecurityManager.sessionManager = $sessionManager\n# 86,400,000 milliseconds = 24 hour\nsecurityManager.sessionManager.globalSessionTimeout = 86400000\nshiro.loginUrl = /api/login\n\n[roles]\nrole1 = *\nrole2 = *\nrole3 = *\nadmin = *\n\n[urls]\n# This section is used for url-based security.\n# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.\n# anon means the access is anonymous.\n# authc means Form based Auth Security\n# To enfore security, comment the line below and uncomment the next one\n/api/version = anon\n#/api/interpreter/** = authc, roles[admin]\n#/api/configurations/** = authc, roles[admin]\n#/api/credential/** = authc, roles[admin]\n#/** = anon\n/** = authc"
        }
      }
      

      Taking the value shown above and passing it right back to the API results in a configuration file expressed as a single line instead of multiple lines as intended.

      [root@nh-ambari ~]# /var/lib/ambari-server/resources/scripts/configs.py -a set -l localhost -n mycluster -c zeppelin-shiro-ini -u admin -p admin -k shiro_ini_content -v '\n[users]\n# List of users with their password allowed to access Zeppelin.\n# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections\nadmin = admin, admin\nuser1 = user1, role1, role2\nuser2 = user2, role3\nuser3 = user3, role2\n\n# Sample LDAP configuration, for user Authentication, currently tested for single Realm\n[main]\n### A sample for configuring Active Directory Realm\n#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm\n#activeDirectoryRealm.systemUsername = userNameA\n\n#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html\n#activeDirectoryRealm.systemPassword = passwordA\n#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks\n#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM\n#activeDirectoryRealm.url = ldap://ldap.test.com:389\n#activeDirectoryRealm.groupRolesMap = \"CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"admin\",\"CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"finance\",\"CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"hr\"\n#activeDirectoryRealm.authorizationCachingEnabled = false\n\n### A sample for configuring LDAP Directory Realm\n#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm\n## search base for ldap groups (only relevant for LdapGroupRealm):\n#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.url = ldap://ldap.test.com:389\n#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.authenticationMechanism = SIMPLE\n\n### A sample PAM configuration\n#pamRealm=org.apache.zeppelin.realm.PamRealm\n#pamRealm.service=sshd\n\n\nsessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager\n### If caching of user is required then uncomment below lines\ncacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager\nsecurityManager.cacheManager = $cacheManager\n\ncookie = org.apache.shiro.web.servlet.SimpleCookie\ncookie.name = JSESSIONID\n#Uncomment the line below when running Zeppelin-Server in HTTPS mode\n#cookie.secure = true\ncookie.httpOnly = true\nsessionManager.sessionIdCookie = $cookie\n\nsecurityManager.sessionManager = $sessionManager\n# 86,400,000 milliseconds = 24 hour\nsecurityManager.sessionManager.globalSessionTimeout = 86400000\nshiro.loginUrl = /api/login\n\n[roles]\nrole1 = *\nrole2 = *\nrole3 = *\nadmin = *\n\n[urls]\n# This section is used for url-based security.\n# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.\n# anon means the access is anonymous.\n# authc means Form based Auth Security\n# To enfore security, comment the line below and uncomment the next one\n/api/version = anon\n#/api/interpreter/** = authc, roles[admin]\n#/api/configurations/** = authc, roles[admin]\n#/api/credential/** = authc, roles[admin]\n#/** = anon\n/** = authc'
      

      Check the shiro_ini_content value in Ambari, and you see the file represented as a single line. Restarting the Zeppelin service now fails due to an improperly formatted config file.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nicholasmhughes Nicholas Hughes
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: