Can't access Interpreter settings in Zeppelin - shiro

I'm using Zeppelin in my Hortonworks Data Platform 2.5 cluster.
Since I set zeppelin.anonymous.allowed=false I'm not able to enter my interpreter settings anymore - The interpreter screen is empty, see this screenshot:
My shiro_ini_content contains the following [users], [roles] and [urls] settings:
[users]
admin = passw0rd, administrator
[main]
shiro.loginUrl = /api/login
[roles]
administrator = *
[urls]
/api/version = anon
#/** = anon
/** = authc
/api/interpreter/** = authc, roles[administrator]
/api/configurations/** = authc, roles[administrator]
/api/credential/** = authc, roles[administrator]
I made the settings based on the following manual: https://shiro.apache.org/configuration.html#Configuration-%5Croles%5C
Why am I still unable to access the Interpreter settings?

It need also sessionManager settings in your [main] section like below.
[main]
shiro.loginUrl = /api/login
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
Could you try?

Related

Latest shiro release broke my webapp [ shiro-all-1.5.1.jar ]

I upgraded my webapp with the latest shiro release 1.5.1 and suddenly it doesn't work anymore. Here the log error:
GRAVE: Shiro environment initialization failed
java.lang.NoClassDefFoundError: org/apache/shiro/cache/CacheManagerAware
and here's my shiro.ini that seems to be the culprit:
[main]
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
ds = com.mysql.cj.jdbc.MysqlDataSource
ps = org.apache.shiro.authc.credential.DefaultPasswordService
pm = org.apache.shiro.authc.credential.PasswordMatcher
jdbcRealmCredentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
ds.serverName = localhost
ds.serverTimezone=Europe/Berlin
ds.databaseName = ******
ds.user = *******
ds.password = ********
jdbcRealm.credentialsMatcher = $jdbcRealmCredentialsMatcher
jdbcRealm.dataSource = $ds
pm.passwordService = $ps
jdbcRealm.credentialsMatcher = $pm
shiro.loginUrl = /login.jsp
shiro.postOnlyLogout = true
securityManager.realms = $jdbcRealm
securityManager.rememberMeManager.cipherKey = kPH+bIxk5D2deZiIxcaaaA==
When I go back to the shiro-all-1.4.2.jar version everything is working fine again.
I have even tried to add these 2 lines to my shiro.ini main section but they didn't fix the problem
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
I can confirm the issue, this should be fixed in the next release.
https://issues.apache.org/jira/browse/SHIRO-749
In addition, the "all" module will likely be deprecated in the future, I'd strongly advise against using them but instead using just the modules you need (for example maybe you just need shiro-web.
The temporary fix is:
a.) also add a dependency to shiro-cache
b.) remove the usage of shiro-all by using the module you need (shiro-web, shiro-guice, etc)
Either way, thanks for the report, we well get this fixed soon!

Using Shiro RolesAuthorizationFilter in shiro.ini

I have been using JdbcRealm for shiro authentication and authorization, which has been working perfectly. My shiro.ini looks like this:
[main]
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
logout = org.apache.shiro.web.filter.authc.LogoutFilter
authc.loginUrl = /login.xhtml
authc.successUrl = /index.xhtml
logout.redirectUrl = /login.xhtml
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.authenticationQuery = select password from useraccount where active = true and username LIKE ?
jdbcRealm.userRolesQuery = select rolename from role where id in(select roleid from userrole where useraccountid = (select id from useraccount where username LIKE ?) and active = true) and active = true
ds = org.postgresql.jdbc2.optional.SimpleDataSource
ds.serverName = dbhost:5432
ds.user = db_user
ds.password = db_pass
ds.databaseName = db_name
jdbcRealm.dataSource = $ds
#.
#.
#.
jdbcRealm.credentialsMatcher = $passwordMatcher
[users]
[urls]
#.
#.
#.
/admin** = authc, roles[Admin]
/activity.xhtml = authc
/item.xhtml = authc, roles[Branch]
/unauthorized.xhtml = authc
When a user role say 'Branch' tries to access a url that is meant for 'Admin', user is safely redirected to '/unauthorized.xhtml'
Things changed however, when I decided to move authentication to Active Directory; shiro.ini looks like this:
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.userRolesQuery = select rolename from role where id in(select roleid from userrole where useraccountid = (select id from useraccount where username LIKE ?) and active = true) and active = true
jdbcRealm.dataSource = $ds
ADRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
ADRealm.url = ldap://xxx.xxx.xxx.xxx:389
ADRealm.searchBase = "OU=Company Name,DC=domain,DC=local"
ADRealm.systemUsername= myuser
ADRealm.systemPassword= mypass
ADRealm.principalSuffix= #domain.local
securityManager.realms = $jdbcRealm,$ADRealm
Authentication happens okay, but trying to access the 'unauthorized url', breaks with the error:
[org.apache.shiro.authz.AuthorizationException: LDAP naming error while attempting to retrieve authorization for user [myusername]
How can I make authorization safely redirect to unauthorized url as before, without it breaking? I've even tried this:
authz = org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
authz.unauthorizedUrl = /unauthorized.xhtml
But without success.
Edit
Inshort, how can we configure shiro.ini to return http response 401/3 - (Unauthorized/forbidden) for necessary cases?
It looks like your /unauthorized.xhtml = authc config would block this if you are trying to reuse your 403 page for 401s.
You could probably use: /unauthorized.xhtml = anon (assuming this page didn't need your user context)

Apache Shiro: RememberMe feature doesn't work with default password service

I am developing a jsf-based project using Apache Shiro 1.2 for security. I have a problem with 'remember me' feature.
[main]
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.authenticationQuery = SELECT password from user where username = ?
jdbcRealm.userRolesQuery = select role from userroles where userID = (select id FROM user WHERE username = ?)
ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource
ds.serverName = localhost
ds.user = root
ds.password = 12345
ds.databaseName = testdb
jdbcRealm.dataSource= $ds
authc.loginUrl = /index.xhtml
user.loginUrl = /index.xhtml
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher
#or this configuration
#passwordMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
#credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
#credentialsMatcher.hashAlgorithmName = SHA-256
#credentialsMatcher.storedCredentialsHexEncoded = true
#credentialsMatcher.hashIterations = 5000
Java class
PasswordService passwordService = new DefaultPasswordService();
String encryptedPassword = passwordService.encryptPassword(password);
Subject currentUser = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, encryptedPassword);
token.setRememberMe(rememberMe);
What could be the problem be?
You will need to configure a default session manager to hold the session that you are remembering.
[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager

Kerberos: kadmin not working properly

I have some trouble in getting my kadmin to work. Everything is fine in kadmin.local, but whenever I use kadmin, it seems it is using the kadm5.acl file, but isn't.
I have in this file:
$ cat /var/kerberos/krb5kdc/kadm5.acl
*/admin#HADOOP.COM *
kadmin can connect to the kdc server correctly, and dns lookup and reverse dns is working also.
My krb5.conf is like this:
$ cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HADOOP.COM = {
admin_keytab = FILE: /var/kerberos/krb5kdc/kadm5.keytab
kadmind_port = 749
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
}
and $ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
HADOOP.COM = {
kdc = evl2400469.eu.verio.net:88
admin_server = evl2400469.eu.verio.net:749
default_domain = hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
So when I try to perform an operation such as add a principal, or get the list of principals I get :
kadmin: listprincs
get_principals: Operation requires ``list'' privilege while retrieving list.
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
I really don't know where is the problem in my configuration.
I even tried to get a ticket before using kadmin console:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
kadmin/admin#HADOOP.COM
Valid starting Expires Service principal 05/21/14
10:13:34 05/21/14 13:13:34 krbtgt/HADOOP.COM#HADOOP.COM
renew until 05/22/14 10:13:34
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Thanks a lot for your help on that :)
Try editing /var/kerberos/krb5kdc/kadm5.acl with
*/admin#HADOOP.COM *
The kadmind daemon needs to be restarted in order for changes in the ACL file to become active:
service kadmind restart

krb5.conf syntax error, issue with setting up the basic file

I'm trying to get the kb5 file to run so that I can setup AD login for my box. when I run a kinit command I get an error stating that
"Improper format of Kerberos configuraiton file while initilizing Kerberos 5 library"
I'm relatively new to setting up AD on a Linux box, thus I'm unsure about the proper syntax for this configuration file
anything with a * is the local domain that I've just commented out. so it's BOXNAME.SOMETHING.LOCAL
BOXNAME is just the name of the box in the configuration file.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_relam = BOXNAME.*****
[realms]
nwcvco01.***** {
kdc = [IPADDRESS]
default_domain = BOXNAME.*****
}
[domain_realm]
.***** = BOXNAME.*****
***** = BOXNAME.*****
default_realm
is spelled incorrectly as
default_relam
Kerberos is not very tolerant of errors in krb5.conf.