You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Andras Piros (JIRA)" <ji...@apache.org> on 2018/04/23 08:39:00 UTC
[jira] [Assigned] (OOZIE-2427) [Kerberos] Authentication failure
for the javascript resources under /ext-2.2
[ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andras Piros reassigned OOZIE-2427:
-----------------------------------
Assignee: Gao Zhong Liang
> [Kerberos] Authentication failure for the javascript resources under /ext-2.2
> -----------------------------------------------------------------------------
>
> Key: OOZIE-2427
> URL: https://issues.apache.org/jira/browse/OOZIE-2427
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 4.2.0
> Reporter: Gao Zhong Liang
> Assignee: Gao Zhong Liang
> Priority: Major
> Fix For: trunk
>
> Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under {{/ext-2.2}}. Go back the Oozie log, the following error messages found:
> {noformat}
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
> at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
> {noformat}
> Based on the analysis, the issue should related to is related to the jira [*HADOOP-8830*|https://issues.apache.org/jira/browse/HADOOP-8830]: {{org.apache.hadoop.security.authentication.server.AuthenticationFilter}} might be called twice, causing kerberos replay errors.
> # Current oozie leverages Hadoop for the authentication.
> # Based on the resouce difference, it defines the filter for the authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition:
> {code:xml}
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>*.js</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>/ext-2.2/*</url-pattern>
> </filter-mapping>
> {code}
> With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled).
> # For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)