Ldap 齐柏林飞艇|广告团体|角色
我试图让登录齐柏林飞艇的用户使用广告组分配到角色/组 试图登录的用户是-srv airflowsadmin,他是“测试应用程序Hadoop Admin”广告组的成员 日志显示身份验证成功,但未分配本例中的角色“admin”-Ldap 齐柏林飞艇|广告团体|角色,ldap,hdfs,apache-zeppelin,rbac,Ldap,Hdfs,Apache Zeppelin,Rbac,我试图让登录齐柏林飞艇的用户使用广告组分配到角色/组 试图登录的用户是-srv airflowsadmin,他是“测试应用程序Hadoop Admin”广告组的成员 日志显示身份验证成功,但未分配本例中的角色“admin”- WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"
WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}
DEBUG [2018-08-01 04:29:46,816] ({qtp1286783232-42} AuthenticatingRealm.java[getAuthenticationInfo]:569) - Looked up AuthenticationInfo [srv-airflowadmin] from doGetAuthenticationInfo
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} AuthenticatingRealm.java[cacheAuthenticationInfoIfPossible]:507) - AuthenticationInfo caching is disabled for info [srv-airflowadmin]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false].
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:95) - Performing credentials equality check for tokenCredentials of type [[C and accountCredentials of type [[C]
DEBUG [2018-08-01 04:29:46,817] ({qtp1286783232-42} SimpleCredentialsMatcher.java[equals]:101) - Both credentials arguments can be easily converted to byte arrays. Performing array equals comparison
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} AbstractAuthenticator.java[authenticate]:231) - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - srv-airflowadmin, rememberMe=false]. Returned account [srv-airflowadmin]
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSecurityManager.java[resolveSession]:436) - Context already contains a session. Returning.
DEBUG [2018-08-01 04:29:46,818] ({qtp1286783232-42} DefaultSubjectContext.java[resolveSecurityManager]:102) - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} SimpleCookie.java[addCookieHeader]:226) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 31-Jul-2018 04:29:46 GMT]
DEBUG [2018-08-01 04:29:46,819] ({qtp1286783232-42} AbstractRememberMeManager.java[onSuccessfulLogin]:300) - AuthenticationToken did not indicate RememberMe is requested. RememberMe functionality will not be executed for corresponding account.
WARN [2018-08-01 04:29:46,820] ({qtp1286783232-42} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"srv-airflowadmin","ticket":"d1858a16-97b6-49c5-b9c4-ecd8f25fd327","roles":"[]"}}
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_CONFIGURATIONS
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,838] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << LIST_NOTES
DEBUG [2018-08-01 04:29:46,844] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,845] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << GET_HOME_NOTE
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:46,867] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
DEBUG [2018-08-01 04:29:50,055] ({qtp1286783232-15} NotebookServer.java[onMessage]:167) - RECEIVE << PING
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:168) - RECEIVE PRINCIPAL << srv-airflowadmin
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:169) - RECEIVE TICKET << d1858a16-97b6-49c5-b9c4-ecd8f25fd327
DEBUG [2018-08-01 04:29:50,056] ({qtp1286783232-15} NotebookServer.java[onMessage]:170) - RECEIVE ROLES << []
干杯 systemUsername只是一个名称。删除其他属性。我需要做两件事才能使它正常工作 将齐柏林飞艇升级到0.8.0 Max在上文中的回答是,仅为“systemUsername”使用一个名称
谢谢Max,我试过了,没有效果。猜测一下,这些就是它用于LDAP绑定的参数——无论如何,这是正确的。
[main]
# authentication settings
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.searchBase = DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.url = ldap://a.b.c.d:389
activeDirectoryRealm.systemUsername = CN=srv-abc,OU=Service Accounts,OU=Security Principles,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz
activeDirectoryRealm.systemPassword = myAmazingPassword
activeDirectoryRealm.principalSuffix = @test.abc.com
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.groupRolesMap = "CN=Test-Application-Hadoop-Admin,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"admin","CN=Test-Application-Hadoop-Users,OU=Application,OU=Groups,DC=mytest,DC=mytest2,DC=mytrust,DC=co,DC=nz":"developer"
# general settings
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
# securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.realms = $activeDirectoryRealm
shiro.loginUrl = /api/login
[roles]
admin = *
developer = *
[urls]
# authentication method and access control filters
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
# /** = anon
/** = authc