Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-3817

sssd/ldap authentication failing

    XMLWordPrintableJSON

    Details

      Description

      Hi There,

      We are trying to integrate the zepplin with AD. but its failing and throwing below error

       

      ---------------------------------------------------------------------------

      WARN [2018-10-19 10:40:28,268] ({qtp2059904228-68} LoginRestApi.java[postLogin]:206) - {"status":"FORBIDDEN","message":"","body":""}
      WARN [2018-10-19 11:04:18,020] ({qtp2059904228-98} AbstractAuthenticator.java[authenticate]:216) - Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - null, rememberMe=false (10.23.126.208)]. Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
      java.lang.IllegalArgumentException: principal argument cannot be null.
      at org.apache.shiro.subject.SimplePrincipalCollection.add(SimplePrincipalCollection.java:104)
      at org.apache.shiro.subject.SimplePrincipalCollection.<init>(SimplePrincipalCollection.java:59)
      at org.apache.shiro.authc.SimpleAuthenticationInfo.<init>(SimpleAuthenticationInfo.java:74)
      at org.apache.shiro.realm.ldap.DefaultLdapRealm.createAuthenticationInfo(DefaultLdapRealm.java:412)
      at org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:377)
      at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
      at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
      at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
      at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
      at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
      at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
      at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
      at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
      at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
      at org.apache.shiro.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:154)
      at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
      at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
      at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
      at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
      at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
      at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
      at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
      at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
      at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
      at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
      at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
      at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
      at org.eclipse.jetty.server.Server.handle(Server.java:499)
      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
      at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
      at java.lang.Thread.run(Thread.java:748)
      ERROR [2018-10-19 11:04:18,043] ({qtp2059904228-98} LoginRestApi.java[proceedToLogin]:172) - Exception in login:
      org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
      at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:300)
      at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
      at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
      at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
      at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
      at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
      at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
      at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
      at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:140)
      at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:199)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
      at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
      at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
      at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
      at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
      at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
      at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
      at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
      at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
      at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
      at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
      at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
      at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
      at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
      at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
      at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
      at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
      at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
      at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
      at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
      at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
      at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
      at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
      at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
      at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
      at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
      at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
      at org.eclipse.jetty.server.Server.handle(Server.java:499)
      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
      at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
      at java.lang.Thread.run(Thread.java:748)
      Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]

      ---------------------------------------------------------------

       

      my shiro.ini is below

       

      #

      1. Licensed to the Apache Software Foundation (ASF) under one or more
      2. contributor license agreements. See the NOTICE file distributed with
      3. this work for additional information regarding copyright ownership.
      4. The ASF licenses this file to You under the Apache License, Version 2.0
      5. (the "License"); you may not use this file except in compliance with
      6. the License. You may obtain a copy of the License at
        #
      7. http://www.apache.org/licenses/LICENSE-2.0
        #
      8. Unless required by applicable law or agreed to in writing, software
      9. distributed under the License is distributed on an "AS IS" BASIS,
      10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      11. See the License for the specific language governing permissions and
      12. limitations under the License.
        #

      #[users]
      #oracle = welcome1, admin

      1. List of users with their password allowed to access Zeppelin.
      2. To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
      3. To enable admin user, uncomment the following line and set an appropriate password.
        #admin = password1, admin
        #user1 = password2, role1, role2
        #user2 = password3, role3
        #user3 = password4, role2
      1. Sample LDAP configuration, for user Authentication, currently tested for single Realm
        [main]
          1. A sample for configuring Active Directory Realm
            #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
            #activeDirectoryRealm.systemUsername = userNameA

      #use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
      #activeDirectoryRealm.systemPassword = passwordA
      #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
      #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
      #activeDirectoryRealm.url = ldap://ldap.test.com:389
      #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
      #activeDirectoryRealm.authorizationCachingEnabled = false

          1. A sample for configuring LDAP Directory Realm
            ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
        1. search base for ldap groups (only relevant for LdapGroupRealm):
          ldapRealm.contextFactory.environment[ldap.searchBase] = DC=XXXXX,DC=XXXXX,DC=com
          ldapRealm.contextFactory.url = ldap://msbchilddc01.XXXXX.XXXXX.com:389
          ldapRealm.userDnTemplate = CN={0},ou=LdapService,DC=XXXXX,DC=XXXXX,DC=com
          ldapRealm.contextFactory.authenticationMechanism = simple
          securityManager.realms = $ldapRealm
          1. A sample PAM configuration
            #pamRealm=org.apache.zeppelin.realm.PamRealm
            #pamRealm.service=sss
            #securityManager.realms = $pamRealm
          1. A sample for configuring ZeppelinHub Realm
            #zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
        1. Url of ZeppelinHub
          #zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
          #securityManager.realms = $zeppelinHubRealm
        1. A same for configuring Knox SSO Realm
          #knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
          #knoxJwtRealm.providerUrl = https://domain.example.com/
          #knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
          #knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
          #knoxJwtRealm.logoutAPI = true
          #knoxJwtRealm.redirectParam = originalUrl
          #knoxJwtRealm.cookieName = hadoop-jwt
          #knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem
          #
          #knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
          #knoxJwtRealm.principalMapping = principal.mapping
          #authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter

      sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

          1. If caching of user is required then uncomment below lines
            #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
            #securityManager.cacheManager = $cacheManager
          1. Enables 'HttpOnly' flag in Zeppelin cookies
            cookie = org.apache.shiro.web.servlet.SimpleCookie
            cookie.name = JSESSIONID
            cookie.httpOnly = true
          2. Uncomment the below line only when Zeppelin is running over HTTPS
            #cookie.secure = true
            sessionManager.sessionIdCookie = $cookie

      securityManager.sessionManager = $sessionManager

      1. 86,400,000 milliseconds = 24 hour
        securityManager.sessionManager.globalSessionTimeout = 86400000
        shiro.loginUrl = /api/login

      [roles]
      role1 = *
      role2 = *
      role3 = *
      admin = *

      [urls]

      1. This section is used for url-based security. For details see the shiro.ini documentation.
        #
      2. You can secure interpreter, configuration and credential information by urls.
      3. Comment or uncomment the below urls that you want to hide:
      4. anon means the access is anonymous.
      5. authc means form based auth Security.
        #
      6. IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
      7. in the order they are defined and the FIRST MATCH WINS.
        #
      8. To allow anonymous access to all but the stated urls,
      9. uncomment the line second last line (/** = anon) and comment the last line (/** = authc)
        #
        /api/version = anon
      10. Allow all authenticated users to restart interpreters on a notebook page.
      11. Comment out the following line if you would like to authorize only admin users to restart interpreters.
        /api/interpreter/setting/restart/** = authc
        /api/interpreter/** = authc, roles[admin]
        /api/configurations/** = authc, roles[admin]
        /api/credential/** = authc, roles[admin]
        #/** = anon
        /** = authc

       

       

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bhupendramishra Bhupendra Mishra
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: