Nicholas Hughes created AMBARI-22538:
----------------------------------------
Summary: API doesn't seem to handle shiro_ini_content properly
Key: AMBARI-22538
URL: https://issues.apache.org/jira/browse/AMBARI-22538
Project: Ambari
Issue Type: Bug
Components: ambari-server, blueprints
Affects Versions: 2.6.0
Environment: CentOS 7.4
ambari-server 2.6.0.0-267
Zeppelin Notebook 0.7.3
Reporter: Nicholas Hughes
I'm trying to pass a shiro.ini file via the API (both blueprint and single
config setting) to the shiro_ini_content key of the zeppelin-shiro-ini
configuration.
When the file is passed in, the newline characters (\n) are expressed literally
instead of being converted to actual new lines.
The easiest way to test on an existing cluster is with the configs.py script.
{code}
[root@localhost ~]# /var/lib/ambari-server/resources/scripts/configs.py -a get
-l localhost -n mycluster -c zeppelin-shiro-ini -u admin -p admin
{
"properties": {
"shiro_ini_content": "\n[users]\n# List of users with their password
allowed to access Zeppelin.\n# To use a different strategy (LDAP / Database /
...) check the shiro doc at
http://shiro.apache.org/configuration.html#Configuration-INISections\nadmin =
admin, admin\nuser1 = user1, role1, role2\nuser2 = user2, role3\nuser3 = user3,
role2\n\n# Sample LDAP configuration, for user Authentication, currently tested
for single Realm\n[main]\n### A sample for configuring Active Directory
Realm\n#activeDirectoryRealm =
org.apache.zeppelin.realm.ActiveDirectoryGroupRealm\n#activeDirectoryRealm.systemUsername
= userNameA\n\n#use either systemPassword or hadoopSecurityCredentialPath,
more details in
http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html\n#activeDirectoryRealm.systemPassword
= passwordA\n#activeDirectoryRealm.hadoopSecurityCredentialPath =
jceks://file/user/zeppelin/zeppelin.jceks\n#activeDirectoryRealm.searchBase =
CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM\n#activeDirectoryRealm.url =
ldap://ldap.test.com:389\n#activeDirectoryRealm.groupRolesMap =
\"CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"admin\",\"CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"finance\",\"CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"hr\"\n#activeDirectoryRealm.authorizationCachingEnabled
= false\n\n### A sample for configuring LDAP Directory Realm\n#ldapRealm =
org.apache.zeppelin.realm.LdapGroupRealm\n## search base for ldap groups (only
relevant for
LdapGroupRealm):\n#ldapRealm.contextFactory.environment[ldap.searchBase] =
dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.url =
ldap://ldap.test.com:389\n#ldapRealm.userDnTemplate =
uid={0},ou=Users,dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.authenticationMechanism
= SIMPLE\n\n### A sample PAM
configuration\n#pamRealm=org.apache.zeppelin.realm.PamRealm\n#pamRealm.service=sshd\n\n\nsessionManager
= org.apache.shiro.web.session.mgt.DefaultWebSessionManager\n### If caching of
user is required then uncomment below lines\ncacheManager =
org.apache.shiro.cache.MemoryConstrainedCacheManager\nsecurityManager.cacheManager
= $cacheManager\n\ncookie =
org.apache.shiro.web.servlet.SimpleCookie\ncookie.name = JSESSIONID\n#Uncomment
the line below when running Zeppelin-Server in HTTPS mode\n#cookie.secure =
true\ncookie.httpOnly = true\nsessionManager.sessionIdCookie =
$cookie\n\nsecurityManager.sessionManager = $sessionManager\n# 86,400,000
milliseconds = 24 hour\nsecurityManager.sessionManager.globalSessionTimeout =
86400000\nshiro.loginUrl = /api/login\n\n[roles]\nrole1 = *\nrole2 = *\nrole3 =
*\nadmin = *\n\n[urls]\n# This section is used for url-based security.\n# You
can secure interpreter, configuration and credential information by urls.
Comment or uncomment the below urls that you want to hide.\n# anon means the
access is anonymous.\n# authc means Form based Auth Security\n# To enfore
security, comment the line below and uncomment the next one\n/api/version =
anon\n#/api/interpreter/** = authc, roles[admin]\n#/api/configurations/** =
authc, roles[admin]\n#/api/credential/** = authc, roles[admin]\n#/** =
anon\n/** = authc"
}
}
{code}
Taking the value shown above and passing it right back to the API results in a
configuration file expressed as a single line instead of multiple lines as
intended.
{code}
[root@nh-ambari ~]# /var/lib/ambari-server/resources/scripts/configs.py -a set
-l localhost -n mycluster -c zeppelin-shiro-ini -u admin -p admin -k
shiro_ini_content -v '\n[users]\n# List of users with their password allowed to
access Zeppelin.\n# To use a different strategy (LDAP / Database / ...) check
the shiro doc at
http://shiro.apache.org/configuration.html#Configuration-INISections\nadmin =
admin, admin\nuser1 = user1, role1, role2\nuser2 = user2, role3\nuser3 = user3,
role2\n\n# Sample LDAP configuration, for user Authentication, currently tested
for single Realm\n[main]\n### A sample for configuring Active Directory
Realm\n#activeDirectoryRealm =
org.apache.zeppelin.realm.ActiveDirectoryGroupRealm\n#activeDirectoryRealm.systemUsername
= userNameA\n\n#use either systemPassword or hadoopSecurityCredentialPath,
more details in
http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html\n#activeDirectoryRealm.systemPassword
= passwordA\n#activeDirectoryRealm.hadoopSecurityCredentialPath =
jceks://file/user/zeppelin/zeppelin.jceks\n#activeDirectoryRealm.searchBase =
CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM\n#activeDirectoryRealm.url =
ldap://ldap.test.com:389\n#activeDirectoryRealm.groupRolesMap =
\"CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"admin\",\"CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"finance\",\"CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM\":\"hr\"\n#activeDirectoryRealm.authorizationCachingEnabled
= false\n\n### A sample for configuring LDAP Directory Realm\n#ldapRealm =
org.apache.zeppelin.realm.LdapGroupRealm\n## search base for ldap groups (only
relevant for
LdapGroupRealm):\n#ldapRealm.contextFactory.environment[ldap.searchBase] =
dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.url =
ldap://ldap.test.com:389\n#ldapRealm.userDnTemplate =
uid={0},ou=Users,dc=COMPANY,dc=COM\n#ldapRealm.contextFactory.authenticationMechanism
= SIMPLE\n\n### A sample PAM
configuration\n#pamRealm=org.apache.zeppelin.realm.PamRealm\n#pamRealm.service=sshd\n\n\nsessionManager
= org.apache.shiro.web.session.mgt.DefaultWebSessionManager\n### If caching of
user is required then uncomment below lines\ncacheManager =
org.apache.shiro.cache.MemoryConstrainedCacheManager\nsecurityManager.cacheManager
= $cacheManager\n\ncookie =
org.apache.shiro.web.servlet.SimpleCookie\ncookie.name = JSESSIONID\n#Uncomment
the line below when running Zeppelin-Server in HTTPS mode\n#cookie.secure =
true\ncookie.httpOnly = true\nsessionManager.sessionIdCookie =
$cookie\n\nsecurityManager.sessionManager = $sessionManager\n# 86,400,000
milliseconds = 24 hour\nsecurityManager.sessionManager.globalSessionTimeout =
86400000\nshiro.loginUrl = /api/login\n\n[roles]\nrole1 = *\nrole2 = *\nrole3 =
*\nadmin = *\n\n[urls]\n# This section is used for url-based security.\n# You
can secure interpreter, configuration and credential information by urls.
Comment or uncomment the below urls that you want to hide.\n# anon means the
access is anonymous.\n# authc means Form based Auth Security\n# To enfore
security, comment the line below and uncomment the next one\n/api/version =
anon\n#/api/interpreter/** = authc, roles[admin]\n#/api/configurations/** =
authc, roles[admin]\n#/api/credential/** = authc, roles[admin]\n#/** =
anon\n/** = authc'
{code}
Check the shiro_ini_content value in Ambari, and you see the file represented
as a single line. Restarting the Zeppelin service now fails due to an
improperly formatted config file.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
