Nikolay created ZEPPELIN-4677: --------------------------------- Summary: Zeppelin auth using Okta Key: ZEPPELIN-4677 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4677 Project: Zeppelin Issue Type: Bug Affects Versions: 0.8.2 Reporter: Nikolay
{color:#1d1c1d}I'm trying to set up Zeppelin 0.8.2 authentication via Okta using Knox 1.3.0.{color} {color:#1d1c1d}After Zeppelin started I got error in logs: {color} {code:java} ERROR [2020-03-10 11:08:59,437] ({main} KnoxJwtRealm.java[onInit]:88) - PrincipalMappingException in onInit org.apache.zeppelin.realm.jwt.PrincipalMappingException: Unable to load mappings from provided string: principal.mapping - no principal mapping will be provided. at org.apache.zeppelin.realm.jwt.SimplePrincipalMapper.parseMapping(SimplePrincipalMapper.java:73)Caused by: java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at java.lang.String.substring(String.java:1967) at org.apache.zeppelin.realm.jwt.SimplePrincipalMapper.parseMapping(SimplePrincipalMapper.java:59){code} {color:#1d1c1d} {color}{color:#1d1c1d}Knox redirect to Okta works well, after that Okta redirects me to Zeppelin UI.{color} {color:#1d1c1d}In Zeppelin UI I see my login in top right corner. I can import notebooks but I can't access any notebook. Zeppelin logs {color} {code:java} INFO [2020-03-10 14:59:51,495] ({main} ZeppelinServer.java[main]:249) - Done, zeppelin server started INFO [2020-03-10 15:02:18,317] ({qtp1728790703-19} Groups.java[refresh]:256) - clearing userToGroupsMap cache INFO [2020-03-10 15:02:18,393] ({qtp1728790703-19} Groups.java[refresh]:256) - clearing userToGroupsMap cache INFO [2020-03-10 15:02:19,318] ({qtp1728790703-17} NotebookServer.java[onOpen]:151) - New connection from 192.168.1.1 : 60894 INFO [2020-03-10 15:02:19,539] ({qtp1728790703-16} Groups.java[refresh]:256) - clearing userToGroupsMap cache INFO [2020-03-10 15:02:19,547] ({qtp1728790703-16} Groups.java[refresh]:256) - clearing userToGroupsMap cache INFO [2020-03-10 15:03:59,705] ({qtp1728790703-61} Groups.java[refresh]:256) - clearing userToGroupsMap cache INFO [2020-03-10 15:03:59,738] ({qtp1728790703-61} Groups.java[refresh]:256) - clearing userToGroupsMap cache {code} {color:#1d1c1d}{color} {color:#1d1c1d}Role list in Zeppelin UI configuration menu empty:{color}{color:#1d1c1d}roles []{color}{color:#1d1c1d}Is Zeppelin integration with Okta functional? {color}{color:#1d1c1d}Zeppelin shiro.ini {color} {code:java} [main] knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm knoxJwtRealm.providerUrl = https://zeppelin.domain.tld:8443/ knoxJwtRealm.login = gateway/knoxsso/api/v1/websso knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout knoxJwtRealm.logoutAPI = true knoxJwtRealm.redirectParam = originalUrl knoxJwtRealm.cookieName = hadoop-jwt knoxJwtRealm.publicKeyPath = /opt/knox/conf/knoxsso.pem knoxJwtRealm.groupPrincipalMapping = group.principal.mapping knoxJwtRealm.principalMapping = principal.mapping authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFiltershiro.loginUrl = /api/login [roles] admin = * [urls] /** = authc{code} {color:#1d1c1d} {color}{color:#1d1c1d}My Knox sandbox.yml {color} {code:java} <?xml version="1.0"?> <topology> <gateway> <provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param> <name>cors.enabled</name> <value>true</value> </param> </provider> <provider> <role>federation</role> <name>SSOCookieProvider</name> <enabled>true</enabled> <param> <name>sso.authentication.provider.url</name> <value>https://zeppelin.domain.tld:8443/gateway/knoxsso/api/v1/websso</value> </param> </provider> <provider> <role>identity-assertion</role> <name>HadoopGroupProvider</name> <enabled>true</enabled> <param> <name>hadoop.security.group.mapping</name> <value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value> </param> </provider> </gateway> <service> <role>ZEPPELIN</role> <url>http://zeppelin.domain.tld:8080</url> </service> <service> <role>ZEPPELINUI</role> <url>http://zeppelin.domain.tld:8080</url> </service> <service> <role>ZEPPELINWS</role> <url>ws://zeppelin.domain.tld:8080/ws</url> </service> </topology>{code} -- This message was sent by Atlassian Jira (v8.3.4#803005)