Hue配置LDAP身份认证(Direct bind方式)

  |   0 评论   |   5,588 浏览

Hue的身份认证方式

典型的方式为

Before.png

采用LDAP的方式为

After (1).png

通过LDAP进行身份认证的方式

Search bind

将对目录服务执行ldapsearch,并使用提供的找到的distinguished name(DN)和密码进行绑定

Direct bind

直接使用登录时提供的用户名和密码绑定到ldap服务器。有两个选项可用于选择Hue绑定的方式:

  • nt_domain - 活动目录中User Principal Names (UPN)(UPN)的域组件。这通常映射到用户的电子邮件地址或与域一起的用户ID。

  • ldap_username_pattern - 提供DN的模板,该模板在进行身份验证时最终将发送到目录服务。


配置LDAP(Direct Bind with Username Pattern: DN string)

准备工作

安装OpenLDAP

修改hue.ini

[desktop]
 [[auth]]
 backend=desktop.auth.backend.LdapBackend
 [[ldap]]
  ldap_url=ldap://hive.cxy7.com:389
  ldap_username_pattern="uid=<username>,ou=People,dc=cxy7,dc=com"
  use_start_tls=false
  search_bind_authentication=false
  create_users_on_login=true
  base_dn="ou=People,dc=cxy7.com,dc=com"
  bind_dn="uid=hue,ou=People,dc=cxy7,dc=com"
  bind_password=********

也可以界面化操作

选择身份认证方式

选择desktop.auth.backend.LdapBackend

image.png

配置LDAP

LDAP 服务器的 URL

image.png

image.png

连接hive/impala

[beeswax]
close_queries=True
use_sasl=False
auth_username=hue
auth_password=********
[impala]
server_host=hive.cxy7.com
server_interface=hiveserver2
server_port=21050
query_timeout_s=100
impersonation_enabled=True
auth_username=hue
auth_password=********

Hue在连接其它系统如hive/impala时,需要使用一个预设的用户名和密码,连接成功之后,当真正执行QL的时候,还使用登录时的账号来做鉴权。

image.png

验证

image.png

Test Hue LDAP Configuration On-the-Fly

image.png

重启Hue

登录界面也有所改变

image.png

验证



可能出现的问题

[LDAP: error code 49 - Invalid Credentials]

问题描述

2018-07-17 10:55:25,619 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-76]: transport map does not contain key
2018-07-17 10:55:25,619 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-76]: opening transport org.apache.thrift.transpor
t.TSaslServerTransport@4d63f9572018-07-17 10:55:25,620 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-76]: SERVER: Received message with status START a
nd payload length 52018-07-17 10:55:25,620 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-76]: Received start message with status STA
RT2018-07-17 10:55:25,620 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-76]: Received mechanism name 'PLAIN'
2018-07-17 10:55:25,620 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-76]: SERVER: Start message handled
2018-07-17 10:55:25,620 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-76]: SERVER: Received message with status OK and 
payload length 122018-07-17 10:55:25,727 WARN  org.apache.hadoop.hive.conf.HiveConf: [HiveServer2-Handler-Pool: Thread-76]: HiveConf of name hive.server2.idle.session.timeout
_check_operation does not exist2018-07-17 10:55:25,728 WARN  org.apache.hadoop.hive.conf.HiveConf: [HiveServer2-Handler-Pool: Thread-76]: HiveConf of name hive.entity.capture.input.URI doe
s not exist2018-07-17 10:55:25,728 DEBUG org.apache.hive.service.auth.ldap.LdapSearchFactory: [HiveServer2-Handler-Pool: Thread-76]: Connecting using principal uid=hue,
ou=People,dc=jwopt,dc=cn to ldap url ldap://cxy7.com:389
2018-07-17 10:55:25,730 DEBUG org.apache.hive.service.auth.ldap.LdapSearchFactory: [HiveServer2-Handler-Pool: Thread-76]: Could not connect to the LDAP Serve
r:Authentication failed for uid=hue,ou=People,dc=jwopt,dc=cn2018-07-17 10:55:25,730 ERROR org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-76]: SASL negotiation failure
javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by j
avax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]]at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - In
valid Credentials]]at org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:48)
at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.createDirSearch(LdapAuthenticationProviderImpl.java:92)
at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:72)
at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102)
... 8 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at org.apache.hive.service.auth.ldap.LdapSearchFactory.createDirContext(LdapSearchFactory.java:62)
at org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:44)
... 12 more
2018-07-17 10:55:25,731 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-76]: SERVER: Writing message with status BAD and 
payload length 262018-07-17 10:55:25,732 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-76]: failed to open server transport
org.apache.thrift.transport.TTransportException: Error validating the login
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2018-07-17 10:55:25,732 ERROR org.apache.thrift.server.TThreadPoolServer: [HiveServer2-Handler-Pool: Thread-76]: Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Error validating the login
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.thrift.transport.TTransportException: Error validating the login
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 4 more

解决办法

配置bind_dn和bing_password

并在LDAP上创建对应的用户

参考

Authenticate Hue Users with LDAP

Making Hadoop Accessible to your Employees with LDAP


读后有收获可以支付宝请作者喝咖啡