#ldap #apache-zeppelin #shiro
#ldap #apache-zeppelin #широ
Вопрос:
Я хочу настроить свой Zeppelin для аутентификации в моем AD с помощью ldap. Я настроил в conf/shiro.ini следующую информацию :
ldapRealmExtern = org.apache.zeppelin.realm.LdapRealm
ldapRealmExtern.contextFactory.url = ldap://authentication.mycompany.com:389
ldapRealmExtern.contextFactory.systemUsername = CN=user,OU=XX_Func,OU=XX_Users,OU=XX_ACC,OU=XX,DC=xx,DC=FR
ldapRealmExtern.contextFactory.systemPassword = ******
ldapRealmExtern.contextFactory.authenticationMechanism = simple
ldapRealmExtern.authorizationEnabled = true
ldapRealmExtern.userSearchBase = dc=xx,dc=FR
#ldapRealmExtern.userSearchFilter = (amp;(cn={0})(objectclass=organizationalPerson))
ldapRealmExtern.userSearchFilter = cn={0}
ldapRealmExtern.userObjectClass = organizationalPerson
ldapRealmExtern.userSearchAttributeName = cn
ldapRealmExtern.groupObjectClass = group
ldapRealmExtern.memberAttribute = member
ldapRealmExtern.groupSearchBase = dc=xx,dc=FR
ldapRealmExtern.groupSearchFilter = member={0}
ldapRealmExtern.memberAttributeValueTemplate=cn={0},OU=XX_Intern,OU=XX_Users,OU=XX_ACC,OU=XX,DC=xx,DC=FR
Когда я запускаю Zeppelin, я могу войти в систему, но выдается следующее исключение :
WARN [2020-12-03 06:16:56,887] ({qtp1580893732-92} ModularRealmAuthenticator.java[doMultiRealmAuthentication]:224) - Realm [org.apache.zeppelin.realm.LdapRealm@33f9f341] threw an exception during a multi-realm authentication attempt:
java.lang.IllegalArgumentException: principal argument cannot be null.
at org.apache.shiro.subject.SimplePrincipalCollection.add(SimplePrincipalCollection.java:104)
at org.apache.shiro.subject.SimplePrincipalCollection.<init>(SimplePrincipalCollection.java:59)
at org.apache.shiro.authc.SimpleAuthenticationInfo.<init>(SimpleAuthenticationInfo.java:93)
at org.apache.zeppelin.realm.LdapRealm.createAuthenticationInfo(LdapRealm.java:985)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:377)
at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:268)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:217)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
at org.apache.shiro.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:154)
at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Thread.java:748)
У меня также есть журнал, в котором говорится, что у меня нет никакой роли :
WARN [2020-12-03 06:16:56,947] ({qtp1580893732-92} LoginRestApi.java[postLogin]:206) - {"status":"OK","message":"","body":{"principal":"myuser","ticket":"cb575d5e-a170-4e5f-9160-8350b3853943","roles":"[]"}}
Есть ли у вас какие-либо идеи о том, что не так в этой конфигурации? Как я могу получить группы с моим объявлением?
Спасибо
Ответ №1:
Одним из решений было обновление Apache Zeppelin до 0.9.0-preview2. Затем снова выполняется вход в Active Directory.
Ответ №2:
Мы тоже столкнулись с такой же ошибкой.Мы все еще получаем исключение , но нам удалось заполнить роли для пользователя, и авторизация работает .Мы изменили много свойств, но свойство, которое имеет значение, это :
ldapRealm.groupSearchEnableMatchingRuleInChain = истина