Prior wrote an article integrated FreeIPA , today try to integrate OpenLdap, there have been some problems, here record the configuration process
modifications zeppelin-site.xml
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
Placed shiro.ini
[main]
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://172.16.7.20:389
ldapRealm.userDnTemplate=uid={0},ou=people,dc=haohaozhu,dc=hadoop
ldapRealm.pagingSize = 200
ldapRealm.authorizationEnabled=true
ldapRealm.searchBase= dc=haohaozhu,dc=hadoop
ldapRealm.userSearchBase = ou=people,dc=haohaozhu,dc=hadoop
ldapRealm.groupSearchBase = ou=group,dc=haohaozhu,dc=hadoop
ldapRealm.groupObjectClass= posixGroup
ldapRealm.userLowerCase = true
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.contextFactory.systemUsername= cn=root,dc=haohaozhu,dc=hadoop
ldapRealm.contextFactory.systemPassword= 123456
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = zeppelinadmin: admin
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true
sessionManager.sessionIdCookie = $cookie
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
role1 = *
role2 = *
role3 = *
admin = *
[urls]
/api/version = anon
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc
Note that a particular parameter: ldapRealm.rolesByGroup = zeppelinadmin: admin
zeppelinadmin is the group ldap, admin is the administrator role zeppelin, meaning that all ldap user zeppelinadmin group are administrators; zeppelinadmin the following ldif
dn: cn=zeppelinadmin,ou=group,dc=haohaozhu,dc=hadoop
objectClass: posixGroup
objectClass: top
cn: zeppelinadmin
gidNumber: 10099
memberUid: james
We can see that this group contains james users, that the administrator, the user ldif james
dn: uid=james,ou=people,dc=haohaozhu,dc=hadoop
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
cn: james
gidNumber: 10012
homeDirectory: /home/james
sn: james
uid: james
uidNumber: 72590
givenName: james
loginShell: /bin/bash
mail: [email protected]
userPassword:: e1NIQX1UWVkrRTVBQXVpRFFZaHdySzJHb25QRXJvL2c9
If you really were that simple, according to the above configuration complete, start james users can not enter the page to create Interpreter, which is no admin rights, view the log
{"status":"OK","message":"","body":{"principal":"james","ticket":"34a77015-7898-4f83-8704-ccdc9df7fd00","roles":"[]"}}
As can be seen from the log is empty roles, ldap group and zeppelin role is not mapped successfully; helpless online information are extremely rare, so simply looked at zeppelin ldap this part of the code, find search expression used when the zeppelin to ldap group pulls information :
(&(objectClass=posixGroup)(member:1.2.840.113556.1.4.1941:=uid=james))
Because ldap group used memberUid save the user's uid, so this expression is not retrieve group information, you can not complete the binding group and role, so the changes are as followsorg.apache.zeppelin.realm.LdapRealm
第一处:
private static final String MATCHING_RULE_IN_CHAIN_FORMAT =
"(&(objectClass=%s)(%s))";
第二处(rolesFor方法内):
searchResultEnum = ldapCtx.search(
getGroupSearchBase(),
String.format(
MATCHING_RULE_IN_CHAIN_FORMAT, groupObjectClass, userDn.replace("uid","memberUid")),
searchControls);
Repackaging:
mvn clean package -pl zeppelin-server -DskipTests
cp zeppelin-server/target/zeppelin-server-0.8.1.jar $ZEPPELIN_HOME/lib/
Restart:
./bin/zeppelin-daemon.sh restar
james has entered Interpreter user can create a page
end
