[jira] [Created] (KNOX-745) KnoxCLI system-user-auth and user-auth doesn't work with system password alias

[Vipin Rathor (JIRA)]

Vipin Rathor created KNOX-745:
---------------------------------

             Summary: KnoxCLI system-user-auth and user-auth doesn't work with 
system password alias
                 Key: KNOX-745
                 URL: https://issues.apache.org/jira/browse/KNOX-745
             Project: Apache Knox
          Issue Type: Bug
          Components: KnoxCLI
    Affects Versions: 0.10.0
         Environment: centos6
            Reporter: Vipin Rathor
            Priority: Minor


When system password alias is used instead of plain text password in Knox 
topology, the knoxcli system-user-auth-test and user-auth-test fails to 
authenticate.

Issue can be reproduced easily by following these steps:

Steps to reproduce:
1. Specify these three property in topology (say sandbox.xml)
{code:java}
        <param>
          <name>main.ldapRealm.authorizationEnabled</name>
          <value>true</value>
        </param>
        <param>
          <name>main.ldapRealm.contextFactory.systemUsername</name>
          <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
          <name>main.ldapRealm.contextFactory.systemPassword</name>
          <value>${ALIAS=ldapsystempassword}</value>
        </param>
{code}

2. Save and restart the Knox gateway service
3. Create password alias:
bin/knoxcli.sh create-alias ldapsystempassword --value 'admin-password' 
--cluster sandbox
4. Both the below command would fail:
{code:java}
bin/knoxcli.sh system-user-auth-test --cluster sandbox --d
org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
[LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot 
authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org]
org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
        at 
org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:300)
        at 
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:193)
        at 
org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
        at 
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
        at 
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
        at 
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
        at 
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
        at 
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        at 
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1069)
        at 
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.testSysBind(KnoxCLI.java:1171)
        at 
org.apache.hadoop.gateway.util.KnoxCLI$LDAPSysBindCommand.execute(KnoxCLI.java:1478)
        at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:138)
        at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
        at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1675)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at 
org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
        at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
        at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101)
        at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
        at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 
INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user 
uid=admin,ou=people,dc=hadoop,dc=apache,dc=org]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3088)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2836)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2750)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:317)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
        at javax.naming.InitialContext.init(InitialContext.java:242)
        at 
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
        at 
org.apache.shiro.realm.ldap.JndiLdapContextFactory.createLdapContext(JndiLdapContextFactory.java:508)
        at 
org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(JndiLdapContextFactory.java:495)
        at 
org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:375)
        at 
org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
        ... 23 more
Unable to successfully bind to LDAP server with topology credentials. Are your 
parameters correct?
{code}
user-auth-test:
{code:java}
bin/knoxcli.sh user-auth-test --cluster sandbox --u guest --p guest-password 
--d --g
org.apache.shiro.config.ConfigurationException: Unable to set property 
'contextFactory.systemPassword' with value [S{ALIAS=ldapsystempassword}] on 
object of type org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.  If 
'S{ALIAS=ldapsystempassword}' is a reference to another (previously defined) 
object, prefix it with '$' to indicate that the referenced object should be 
used as the actual value.  For example, $S{ALIAS=ldapsystempassword}
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject 
could not be created with Shiro Config at sections=main,urls
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject 
could not be created with Shiro Config at sections=main,urls
        at 
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.getSubject(KnoxCLI.java:1242)
        at 
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1067)
        at 
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1104)
        at 
org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1400)
        at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:138)
        at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
        at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1675)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at 
org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
        at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
        at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101)
        at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
        at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
ERR: Unable to authenticate user: guest
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)