齐柏林飞艇 |广告组 |角色

Posted 2023-03-23

【中文标题】齐柏林飞艇 |广告组 |角色

【英文标题】：zeppelin | AD Groups | Roles

【发布时间】：2019-01-08 13:30:33

【问题描述】：

我正在尝试使用 AD 组将登录到 Zeppelin 的用户分配到角色/组。

尝试登录的用户是 - srv-airflowadmin，他是“Test-Application-Hadoop-Admin”AD 组的成员。

日志显示身份验证成功，但未分配角色（在本例中为“管理员”）-

 WARN [2018-08-01 04:29:46,820] (qtp1286783232-42 LoginRestApi.java[postLogin]:119) - "status":"OK","message":"","body":"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"

调试日志显示如下-

DEBUG [2018-08-01 04:29:46,816] (qtp1286783232-42 AuthenticatingRealm.java[getAuthenticationInfo]:569) - Looked up AuthenticationInfo [srv-airflowadmin] from doGetAuthenticationInfo
DEBUG [2018-08-01 04:29:46,817] (qtp1286783232-42 AuthenticatingRealm.java[cacheAuthenticationInfoIfPossible]:507) - AuthenticationInfo caching is disabled for info [srv-airflowadmin].  Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].
DEBUG [2018-08-01 04:29:46,817] (qtp1286783232-42 SimpleCredentialsMatcher.java[equals]:95) - Performing credentials equality check for tokenCredentials of type [[C and accountCredentials of type [[C]
DEBUG [2018-08-01 04:29:46,817] (qtp1286783232-42 SimpleCredentialsMatcher.java[equals]:101) - Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
DEBUG [2018-08-01 04:29:46,818] (qtp1286783232-42 AbstractAuthenticator.java[authenticate]:231) - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].  Returned account [srv-airflowadmin]
DEBUG [2018-08-01 04:29:46,818] (qtp1286783232-42 DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,818] (qtp1286783232-42 DefaultSecurityManager.java[resolveSession]:436) - Context already contains a session.  Returning.
DEBUG [2018-08-01 04:29:46,818] (qtp1286783232-42 DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,819] (qtp1286783232-42 SimpleCookie.java[addCookieHeader]:226) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 31-Jul-2018 04:29:46 GMT]
DEBUG [2018-08-01 04:29:46,819] (qtp1286783232-42 AbstractRememberMeManager.java[onSuccessfulLogin]:300) - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
 WARN [2018-08-01 04:29:46,820] (qtp1286783232-42 LoginRestApi.java[postLogin]:119) - "status":"OK","message":"","body":"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"
DEBUG [2018-08-01 04:29:46,838] (qtp1286783232-15 NotebookServer.java[onMessage]:167) - RECEIVE << LIST_CONFIGURATIONS
DEBUG [2018-08-01 04:29:46,838] (qtp1286783232-15 NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,838] (qtp1286783232-15 NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,838] (qtp1286783232-15 NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,844] (qtp1286783232-15 NotebookServer.java[onMessage]:167) - RECEIVE << LIST_NOTES
DEBUG [2018-08-01 04:29:46,844] (qtp1286783232-15 NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,845] (qtp1286783232-15 NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,845] (qtp1286783232-15 NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,867] (qtp1286783232-15 NotebookServer.java[onMessage]:167) - RECEIVE << GET_HOME_NOTE
DEBUG [2018-08-01 04:29:46,867] (qtp1286783232-15 NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,867] (qtp1286783232-15 NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,867] (qtp1286783232-15 NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:50,055] (qtp1286783232-15 NotebookServer.java[onMessage]:167) - RECEIVE << PING
DEBUG [2018-08-01 04:29:50,056] (qtp1286783232-15 NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:50,056] (qtp1286783232-15 NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:50,056] (qtp1286783232-15 NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []

我使用的配置是-

[main]
# authentication settings
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.searchBase = DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.url = ldap://a.b.c.d:389
activeDirectoryRealm.systemUsername = CN=srv-abc,OU=Service Accounts,OU=Security Principles,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.systemPassword = myAmazingPassword
activeDirectoryRealm.principalSuffix = @test.abc.com
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.groupRolesMap = "CN=Test-Application-Hadoop-Admin,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"admin","CN=Test-Application-Hadoop-Users,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"developer"

# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
# securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.realms = $activeDirectoryRealm
shiro.loginUrl = /api/login

[roles]
admin = *
developer = *

[urls]
# authentication method and access control filters
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
# /** = anon
/** = authc

我错过了什么？有人可以帮我解决这个问题吗？

干杯！

【参考方案1】：

“systemUsername”只是一个名字。移除其他属性。

【讨论】：

谢谢马克斯。我试过了 - 没有效果。猜猜这些是它用于 LDAP 绑定的参数 - 无论如何这都是正确的。

【参考方案2】：

要完成这项工作，我需要做两件事

将 Zeppelin 升级到 0.8.0 上面 Max 的回答只是为 'systemUsername' 使用名称