You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2016/01/05 10:07:40 UTC

[jira] [Commented] (OOZIE-2427) With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2

    [ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082675#comment-15082675 ] 

Hadoop QA commented on OOZIE-2427:
----------------------------------

Testing JIRA OOZIE-2427

Cleaning local git workspace

----------------------------

{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.    {color:green}+1{color} the patch does not introduce any @author tags
.    {color:green}+1{color} the patch does not introduce any tabs
.    {color:green}+1{color} the patch does not introduce any trailing spaces
.    {color:green}+1{color} the patch does not introduce any line longer than 132
.    {color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.    {color:green}+1{color} the patch does not seem to introduce new RAT warnings
{color:green}+1 JAVADOC{color}
.    {color:green}+1{color} the patch does not seem to introduce new Javadoc warnings
{color:green}+1 COMPILE{color}
.    {color:green}+1{color} HEAD compiles
.    {color:green}+1{color} patch compiles
.    {color:green}+1{color} the patch does not seem to introduce new javac warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.    {color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations
.    {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
.    Tests run: 1703
.    Tests failed: 6
.    Tests errors: 0

.    The patch failed the following testcases:

.      testBundleStatusTransitWithLock(org.apache.oozie.service.TestStatusTransitService)
.      testCoordChangeConcurrency(org.apache.oozie.command.coord.TestCoordChangeXCommand)
.      testForNoDuplicates(org.apache.oozie.event.TestEventGeneration)
.      testPurgeWFWithSubWF1(org.apache.oozie.command.TestPurgeXCommand)
.      testPurgeXCommandFailed(org.apache.oozie.command.TestPurgeXCommand)
.      testSamplers(org.apache.oozie.util.TestMetricsInstrumentation)

{color:green}+1 DISTRO{color}
.    {color:green}+1{color} distro tarball builds with the patch 

----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}


The full output of the test-patch run is available at

.   https://builds.apache.org/job/oozie-trunk-precommit-build/2693/

> With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2 
> ----------------------------------------------------------------------------------------------
>
>                 Key: OOZIE-2427
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2427
>             Project: Oozie
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 4.2.0
>            Reporter: Gao Zhong Liang
>             Fix For: trunk
>
>         Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under /ext-2.2. Go back the Oozie log, the following error messages found:
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
>     at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
>     at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)  
> Based on the analysis, the issue should related to is related to the jira  HADOOP-8830: org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
> https://issues.apache.org/jira/browse/HADOOP-8830
> 1. Current oozie leverages Hadoop for the authentication.
> 2. Based on the resouce difference, it defines the filter for the  authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition:
>  
> <filter-mapping>
>     <filter-name>authenticationfilter</filter-name>
>     <url-pattern>*.js</url-pattern>
> </filter-mapping>
> <filter-mapping>
>     <filter-name>authenticationfilter</filter-name>
>     <url-pattern>/ext-2.2/*</url-pattern>
> </filter-mapping>
> With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled).
>  
> 3. For 2),  it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)