You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Andras Piros (JIRA)" <ji...@apache.org> on 2018/04/23 08:29:00 UTC
[jira] [Updated] (OOZIE-2427) With Kerberos enabled, the
authentication failure for the javascript resources under /ext-2.2
[ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andras Piros updated OOZIE-2427:
--------------------------------
Description:
With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under {{/ext-2.2}}. Go back the Oozie log, the following error messages found:
{noformat}
21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
{noformat}
Based on the analysis, the issue should related to is related to the jira [*HADOOP-8830*|https://issues.apache.org/jira/browse/HADOOP-8830]: {{org.apache.hadoop.security.authentication.server.AuthenticationFilter}} might be called twice, causing kerberos replay errors.
# Current oozie leverages Hadoop for the authentication.
# Based on the resouce difference, it defines the filter for the authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition:
{code:xml}
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>*.js</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>/ext-2.2/*</url-pattern>
</filter-mapping>
{code}
With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled).
# For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that.
was:
With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under /ext-2.2. Go back the Oozie log, the following error messages found:
21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
Based on the analysis, the issue should related to is related to the jira HADOOP-8830: org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
https://issues.apache.org/jira/browse/HADOOP-8830
1. Current oozie leverages Hadoop for the authentication.
2. Based on the resouce difference, it defines the filter for the authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition:
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>*.js</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>/ext-2.2/*</url-pattern>
</filter-mapping>
With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled).
3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that.
> With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2
> ----------------------------------------------------------------------------------------------
>
> Key: OOZIE-2427
> URL: https://issues.apache.org/jira/browse/OOZIE-2427
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 4.2.0
> Reporter: Gao Zhong Liang
> Priority: Major
> Fix For: trunk
>
> Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under {{/ext-2.2}}. Go back the Oozie log, the following error messages found:
> {noformat}
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
> at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
> {noformat}
> Based on the analysis, the issue should related to is related to the jira [*HADOOP-8830*|https://issues.apache.org/jira/browse/HADOOP-8830]: {{org.apache.hadoop.security.authentication.server.AuthenticationFilter}} might be called twice, causing kerberos replay errors.
> # Current oozie leverages Hadoop for the authentication.
> # Based on the resouce difference, it defines the filter for the authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition:
> {code:xml}
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>*.js</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>/ext-2.2/*</url-pattern>
> </filter-mapping>
> {code}
> With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled).
> # For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)