You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2018/03/12 20:19:00 UTC
[jira] [Commented] (OOZIE-2427) With Kerberos enabled, the
authentication failure for the javascript resources under /ext-2.2
[ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16395814#comment-16395814 ]
Hadoop QA commented on OOZIE-2427:
----------------------------------
PreCommit-OOZIE-Build started
> With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2
> ----------------------------------------------------------------------------------------------
>
> Key: OOZIE-2427
> URL: https://issues.apache.org/jira/browse/OOZIE-2427
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 4.2.0
> Reporter: Gao Zhong Liang
> Priority: Major
> Fix For: trunk
>
> Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under /ext-2.2. Go back the Oozie log, the following error messages found:
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
> at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
> Based on the analysis, the issue should related to is related to the jira HADOOP-8830: org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
> https://issues.apache.org/jira/browse/HADOOP-8830
> 1. Current oozie leverages Hadoop for the authentication.
> 2. Based on the resouce difference, it defines the filter for the authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition:
>
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>*.js</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>/ext-2.2/*</url-pattern>
> </filter-mapping>
> With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled).
>
> 3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)