Raghavender Rao Guruvannagari created ZEPPELIN-3405:
-------------------------------------------------------
Summary: Zeppelin fails to display the User home page if user
belongs to roles with space in its name.
Key: ZEPPELIN-3405
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3405
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-server
Affects Versions: 0.7.3
Reporter: Raghavender Rao Guruvannagari
If user belongs to a role which has a space in its name, zeppelin will not
display the User home page correctly and doesnt allow to create any new
notebooks. This issue can be recreated in Lab with HDP2.6.3.
Zeppelin log has below error where user logs in to zeppelin UI.
{code:java}
WARN [2018-01-07 00:16:53,121] (\{qtp331844619-121}
LoginRestApi.java[postLogin]:119) -
\{"status":"OK","message":"","body":{"principal":"sinnajus1","ticket":"c7de5bad-d848-49b6-a7b7-cd7759e597f5","roles":"[NCSQL16_Databaseaccess_Prod_sv_Hmc_RW_OS,
NCSQL31_DBO_ONSHORE, NCSQL23-sql_CA_All_Onshore_DBO,
sql10_DatabaseAccess_UAT_HMCproguide_DBO,
NCSQL16_Databaseaccess_Prod_sv_Hmc_DBO_OS, FolderClaimRetrieval,
FolderAccess_File02_Shared_Nemesis, RDDevITOfficeUsers, Duo 2FA Enabled,
VisualSVNSQLRepositoryReadWrite, NCSQL18_DBA_SERVER_ADMIN,
NCSQ23_sql_CA_offshoreonlyDB_RW, Citrix_Profile_Management,
Folderaccess_NCFILE05_SAS_Analytics,
VisualSVNDataManagementRepositoryReadWrite, Folderaccess_NCSAS01_Eden_Full,
FolderQueryDevelopment, Webstrat01-QueryUsers,
ShareAccess_File01_Ancillary_Audits, PI_EDW_Onshore,
NCinfobright01_Edrive_ETLDevshared_Modify, SCIOMine_ExtHumana_Database_Onshore,
NCSQL16_DBA_SERVER_ADMIN, FolderSASDBShared01, Azure_SV_RDP_Access,
NCSQL22_DBA_SERVER_ADMIN, sciomineonshoreadmins, FolderMySocratesDocuments,
scioSQL02DevAdmins, NCSQL23_sql_CA_offshoreonlyDB_DBO,
App_ExtHumana_ScioWorkflow, NCSQL17_SQLExtHumanaPowerUsers,
AppAccess_Hadoop_sas_admin_Onshore, FolderAccessSCIOITDevShared,
NCSQL22_RDP_ADMIN, App_Catamaran_SCIOMINE, EtLusersSql10_Sciosql02,
NCFILE03_RDP_OFFSHORE_NONADMIN, ShareAccess_File02_Shared_Nemesis,
sciovantage_sql10sciosql02_DBO, SV_SQL_DBO_Onshore,
App_ExtHumana_ScioSelection, SCIOMine_ExtHumana_Support_Onshore,
sql10_databaseaccess_hmcreporting_RW, NCSQL18_SQLExtHumanaPowerUsers,
NCFILE02_RDP_ADMIN, NCSQL16_Databaseaccess_CA_DEMO_RW_OS, NCSQL17_RDP_ADMIN,
NullDefaultGroupForClients, NCSQL16_HMC_BENCHMARK_OFFSHORE_RW,
FolderAccess_sciowebsvn01_Tableau_Onshore, App_Catamaran_SELECTION,
NCFILE03_RPD_ADMIN, SCIOMine_Demo_Users, NCSQL17_DBA_SERVER_ADMIN,
SCIOMine_Support_Onshore, NCSQL30_DBO_Onshore, App_PPExtractUtility,
FolderAccess_SAS_Care_Analytics_Consulting_Onshore, NCSQL18_RDP_ADMIN,
DBO_OffShoreSCIOMine, SQLITAdmins, sql10_ssrs,
NCSQL16_sqlaccess_honeywell_Offshore_RW, AppAssistedSelection,
ApplicationAccess_Mremote, HighMarkPPOnshore, CitrixAccess_VdeskSAS1_Users,
ncsql23_sql_appuser, App_Catamaran_CONFIG, ApplicationAccess_MS_VisualStudio,
admin, SCIOWEBDEV01_RDPaccess_Administrator_offshore,
Folderaccess_NCSAS01_LocktonOutput_RW, Wintest01-Admin, SCIOMineExtITAdmin,
NCSQL16_HMC_BENCHMARK_OFFSHORE_DBO, ShareAccess_SAS01_E_CARE_ANALYTICS,
CitrixAccess_VdeskDevUS_Users, sql10_Databaseaccess_UAT_hmcproguide_RW,
SAS_Users, SCIOMine_Database_Onshore, FolderAccess_NCFile05_SCIOMINEDevCN,
WEB03_RDPaccess_User_onshore, Opserver_Admin, LinuxAccess_Hadoop_SSH,
FolderAccess_NCFile05_SCIOBI_Onshore_RW,
FolderAccess_NCFile05_SCIOBI_Offshore_RW, FolderAccess_SAS_Prod_Onshore_Full,
CitrixAccess_VDIDEVUS_Users, WebSandbox01Admins,
NCinfobright01_Edrive_ETLprodshared_Modify,
Folder_Access_File01_Ancillary_Audits, NCSQL16_Databaseaccess_CA_DEMO_DBO_OS,
PI_EDW_Offshore, Websandbox01_RDP_Access_User]"}}
ERROR [2018-01-07 00:16:53,173] (\{qtp331844619-119}
NotebookServer.java[onMessage]:358) - Can't handle message
com.google.gson.JsonSyntaxException:
com.google.gson.stream.MalformedJsonException: Unterminated array at line 1
column 265
at com.google.gson.Gson.fromJson(Gson.java:805)
at com.google.gson.Gson.fromJson(Gson.java:757)
at com.google.gson.Gson.fromJson(Gson.java:706)
{code}
>From HDP2.6.3, it looks that all the AD groups user belongs to are mapped as
>role to user with same name.
In this case user belongs to a group "Duo 2FA Enabled" which has space and now
mapping user to the role with same name results in
"com.google.gson.stream.MalformedJsonException".
This can also be recreated if role name with space is defined in shiro.ini.
*Workaround *
Currently workaround is to disallow zeppelin to map the user to AD groups with
same role names by defining it in shiro.ini as below.
{code:java}
ldapRealm.rolesByGroup = "hadoop_admin":admin,"Remote hadoop
users":remote_hadoop_users
{code}
Or change the AD group names to have no spaces or any special characters.
This workaround might not be feasible in many customer environment, If there
are multiple groups that are required to be defined in shiro.ini.
This issue can happen even with any group names with any special characters
besides space.
This issue occurs only if "org.apache.zeppelin.realm.LdapRealm" is used for
ldap authentication, realm
"org.apache.zeppelin.realm.ActiveDirectoryGroupRealm" doesnt have this issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
