Zeppelin 0.8.0 ldap 组和角色配置

Posted 2023-02-27

【中文标题】Zeppelin 0.8.0 ldap 组和角色配置

【英文标题】：Zeppelin 0.8.0 ldap group and role configuration

【发布时间】：2019-01-28 07:57:34

【问题描述】：

我正在尝试使用 ldap 组和角色配置的 zeppelin 0.8.0。 我按照页面 https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#ldap 上的说明配置 zeppelin 以与 ldap 集成。

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://xxx.xxx.xxx:389
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = xxxxx
ldapRealm.contextFactory.systemPassword = xxxxx
ldapRealm.searchBase = DC=fareast,DC=nevint,DC=com
ldapRealm.userSearchBase = DC=fareast,DC=nevint,DC=com
ldapRealm.userSearchScope = subtree
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.userSearchFilter = (&(objectclass=person)(sAMAccountName=0))
ldapRealm.groupSearchBase = DC=fareast,DC=nevint,DC=com
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute=member
ldapRealm.groupSearchScope = subtree
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = Global-***: user_role, SWC_SAS: admin_role
ldapRealm.allowedRolesForAuthentication = admin_role,user_role
ldapRealm.permissionsByRole= user_role = *:ToDoItemsJdo:*:*, *:ToDoItem:*:*; admin_role = *

当我启动 zeppelin 服务器时，我在日志中收到以下错误。知道我哪里出错了吗？

org.apache.shiro.config.ConfigurationException: Map property value [user_role = *:ToDoItemsJdo:*:*, *:ToDoItem:*:*; admin_role = *] contained key-value pair token [user_role = *:ToDoItemsJdo:*:*]         that does not properly split to a single key and pair.  This must be the case for all map entries.
         at org.apache.shiro.config.ReflectionBuilder.toMap(ReflectionBuilder.java:473)
        at org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:705)
        at org.apache.shiro.config.ReflectionBuilder.applySingleProperty(ReflectionBuilder.java:364)
        at org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:325)
        at org.apache.shiro.config.ReflectionBuilder$AssignmentStatement.doExecute(ReflectionBuilder.java:955)
        at org.apache.shiro.config.ReflectionBuilder$Statement.execute(ReflectionBuilder.java:887)
        at org.apache.shiro.config.ReflectionBuilder$BeanConfigurationProcessor.execute(ReflectionBuilder.java:765)
        at org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:260)
        at org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:167)
        at org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:130)
        at org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:108)
        at org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:94)
        at org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:46)
        at org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:123)
        at org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
        at org.apache.shiro.web.env.IniWebEnvironment.createWebSecurityManager(IniWebEnvironment.java:203)
        at org.apache.shiro.web.env.IniWebEnvironment.configure(IniWebEnvironment.java:99)
        at org.apache.shiro.web.env.IniWebEnvironment.init(IniWebEnvironment.java:92)
        at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:45)
        at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:40)
        at org.apache.shiro.web.env.EnvironmentLoader.createEnvironment(EnvironmentLoader.java:221)
        at org.apache.shiro.web.env.EnvironmentLoader.initEnvironment(EnvironmentLoader.java:133)
        at org.apache.shiro.web.env.EnvironmentLoaderListener.contextInitialized(EnvironmentLoaderListener.java:58)
        at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:800)
        at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:444)
        at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:791)
        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:294)
        at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349)
        at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342)
        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741)
        at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
        at org.eclipse.jetty.server.Server.start(Server.java:387)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
        at org.eclipse.jetty.server.Server.doStart(Server.java:354)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:215)

【参考方案1】：

在阅读了org.apache.shiro.config.ReflectionBuilder.toMap 的源代码后，我发现它可以工作了。配置项ldapRealm.permissionsByRole= user_role = *:ToDoItemsJdo:*:*, *:ToDoItem:*:*; admin_role = * 提供的文档是错误的。

我只是发布我的工作配置供您参考。

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://xxxxxx:389
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = xxxxxxx
ldapRealm.contextFactory.systemPassword = xxxxxx
ldapRealm.searchBase = DC=fareast,DC=nevint,DC=com
ldapRealm.userSearchBase = DC=fareast,DC=nevint,DC=com
ldapRealm.userSearchScope = subtree
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.userSearchFilter = (&(objectclass=person)(sAMAccountName=0))

ldapRealm.authorizationEnabled = true
ldapRealm.groupSearchBase = OU=Group,OU=China,DC=fareast,DC=nevint,DC=com
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute=member
ldapRealm.groupSearchScope = subtree
ldapRealm.groupSearchFilter = (&(objectclass=group)(member=0))
ldapRealm.memberAttributeValueTemplate=CN=0,OU=China,DC=fareast,DC=nevint,DC=com
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = Global-***: user_role, Zeppelin_Admin: admin_role
ldapRealm.allowedRolesForAuthentication = admin_role,user_role
ldapRealm.permissionsByRole= user_role:"*:ToDoItemsJdo:*:*, *:ToDoItem:*:*", admin_role:"*"