之前写过一篇文章集成FreeIPA,今天尝试集成OpenLdap,出现了一些问题,这里记录下配置过程
修改zeppelin-site.xml
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
配置shiro.ini
[main]
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://172.16.7.20:389
ldapRealm.userDnTemplate=uid={0},ou=people,dc=haohaozhu,dc=hadoop
ldapRealm.pagingSize = 200
ldapRealm.authorizationEnabled=true
ldapRealm.searchBase= dc=haohaozhu,dc=hadoop
ldapRealm.userSearchBase = ou=people,dc=haohaozhu,dc=hadoop
ldapRealm.groupSearchBase = ou=group,dc=haohaozhu,dc=hadoop
ldapRealm.groupObjectClass= posixGroup
ldapRealm.userLowerCase = true
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.contextFactory.systemUsername= cn=root,dc=haohaozhu,dc=hadoop
ldapRealm.contextFactory.systemPassword= 123456
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = zeppelinadmin: admin
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true
sessionManager.sessionIdCookie = $cookie
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
role1 = *
role2 = *
role3 = *
admin = *
[urls]
/api/version = anon
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc
这里特别注意一个参数:ldapRealm.rolesByGroup = zeppelinadmin: admin
zeppelinadmin是ldap中的组,admin是zeppelin中管理员角色,意思是zeppelinadmin组中的所有ldap用户都是管理员;zeppelinadmin的ldif如下
dn: cn=zeppelinadmin,ou=group,dc=haohaozhu,dc=hadoop
objectClass: posixGroup
objectClass: top
cn: zeppelinadmin
gidNumber: 10099
memberUid: james
我们可以看到,这个组中包含james用户,即管理员,james用户的ldif
dn: uid=james,ou=people,dc=haohaozhu,dc=hadoop
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
cn: james
gidNumber: 10012
homeDirectory: /home/james
sn: james
uid: james
uidNumber: 72590
givenName: james
loginShell: /bin/bash
mail: [email protected]
userPassword:: e1NIQX1UWVkrRTVBQXVpRFFZaHdySzJHb25QRXJvL2c9
如果真这么简单就好了,按照如上配置完,启动后james用户,无法进入创建Interpreter页面,也就是没有admin权限,查看日志
{"status":"OK","message":"","body":{"principal":"james","ticket":"34a77015-7898-4f83-8704-ccdc9df7fd00","roles":"[]"}}
从日志可以看出roles为空,ldap组和zeppelin role没有映射成功;无奈网上资料特别少,所以索性看了下zeppelin ldap这部分代码,发现zeppelin去ldap中拉取组信息时使用的检索表达式:
(&(objectClass=posixGroup)(member:1.2.840.113556.1.4.1941:=uid=james))
因为ldap组中使用memberUid保存用户的uid,所以这个表达式是无法检索到组信息,也就无法完成group和role的绑定,所以改动如下org.apache.zeppelin.realm.LdapRealm
第一处:
private static final String MATCHING_RULE_IN_CHAIN_FORMAT =
"(&(objectClass=%s)(%s))";
第二处(rolesFor方法内):
searchResultEnum = ldapCtx.search(
getGroupSearchBase(),
String.format(
MATCHING_RULE_IN_CHAIN_FORMAT, groupObjectClass, userDn.replace("uid","memberUid")),
searchControls);
重新打包:
mvn clean package -pl zeppelin-server -DskipTests
cp zeppelin-server/target/zeppelin-server-0.8.1.jar $ZEPPELIN_HOME/lib/
重启:
./bin/zeppelin-daemon.sh restar
james用户已经可以进入Interpreter创建页面了
end