[
https://issues.apache.org/jira/browse/KNOX-746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551166#comment-15551166
]
Alexandre Linte commented on KNOX-746:
--------------------------------------
To complete my previous answer, here is the full log stack:
{noformat}
Oct 6 09:11:06 knox01 knox INFO - org.apache.hadoop.gatewayCould not login:
org.apache.shiro.authc.UsernamePasswordToken - shfs3453, rememberMe=false
(192.168.200.208)
Oct 6 09:11:06 knox01 knox DEBUG - org.apache.hadoop.gatewayFailed to
Authenticate with LDAP server: {1}
Oct 6 09:11:06 localhost org.apache.shiro.authc.AuthenticationException: LDAP
authentication failed.
Oct 6 09:11:06 localhost at
org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:300)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:193)
Oct 6 09:11:06 localhost at
org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
Oct 6 09:11:06 localhost at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
Oct 6 09:11:06 localhost at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
Oct 6 09:11:06 localhost at
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
Oct 6 09:11:06 localhost at
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
Oct 6 09:11:06 localhost at
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
Oct 6 09:11:06 localhost at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter.onAccessDenied(BasicHttpAuthenticationFilter.java:190)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
Oct 6 09:11:06 localhost at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
Oct 6 09:11:06 localhost at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
Oct 6 09:11:06 localhost at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
Oct 6 09:11:06 localhost at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:139)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.GatewayServlet.service(GatewayServlet.java:138)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.Server.handle(Server.java:499)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
Oct 6 09:11:06 localhost at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
Oct 6 09:11:06 localhost at java.lang.Thread.run(Thread.java:745)
Oct 6 09:11:06 Caused by: javax.naming.AuthenticationException: [LDAP: error
code 49 - Invalid Credentials]
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3088)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2836)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2750)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:317)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
Oct 6 09:11:06 localhost at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
Oct 6 09:11:06 localhost at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
Oct 6 09:11:06 localhost at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
Oct 6 09:11:06 localhost at
javax.naming.InitialContext.init(InitialContext.java:242)
Oct 6 09:11:06 localhost at
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
Oct 6 09:11:06 localhost at
org.apache.shiro.realm.ldap.JndiLdapContextFactory.createLdapContext(JndiLdapContextFactory.java:508)
Oct 6 09:11:06 localhost at
org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory.createLdapContext(KnoxLdapContextFactory.java:63)
Oct 6 09:11:06 localhost at
org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(JndiLdapContextFactory.java:495)
Oct 6 09:11:06 localhost at
org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:375)
Oct 6 09:11:06 localhost at
org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
Oct 6 09:11:06 localhost ... 61 more
Oct 6 09:11:06 knox01 knox ERROR - org.apache.hadoop.gatewayShiro unable to
login: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
Credentials]
{noformat}
The error code is crazy because it's the right username and password. I don't
understand the mistake.
> Unstable LDAP authentication
> ----------------------------
>
> Key: KNOX-746
> URL: https://issues.apache.org/jira/browse/KNOX-746
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.9.1
> Environment: Knox 0.9.1, Hadoop 2.7.2
> Reporter: Alexandre Linte
>
> I'm upgrading Knox from 0.7.0 to 0.9.1. My LDAP configuration doesn't change
> between the two versions. You can find the topology below:
> {noformat}
> <topology>
> <gateway>
> <provider>
> <role>authentication</role>
> <name>ShiroProvider</name>
> <enabled>true</enabled>
> <param>
> <name>sessionTimeout</name>
> <value>30</value>
> </param>
> <param>
> <name>main.ldapRealm</name>
>
> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
> </param>
> <param>
> <name>main.ldapContextFactory</name>
>
> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory</name>
> <value>$ldapContextFactory</value>
> </param>
> <param>
> <name>main.ldapRealm.userDnTemplate</name>
> <value>cn={0},ou=users,ou=kerberos,dc=bigdata,dc=fr</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory.url</name>
> <value>ldap://ldapmaster01.bigdata.fr:389</value>
> </param>
> <param>
>
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
> <value>simple</value>
> </param>
> <param>
> <name>main.cacheManager</name>
> <value>org.apache.shiro.cache.ehcache.EhCacheManager</value>
> </param>
> <param>
> <name>main.securityManager.cacheManager</name>
> <value>$cacheManager</value>
> </param>
> <param>
> <name>main.ldapRealm.authenticationCachingEnabled</name>
> <value>true</value>
> </param>
> <param>
> <name>urls./**</name>
> <value>authcBasic</value>
> </param>
> </provider>
> <provider>
> <role>ha</role>
> <name>HaProvider</name>
> <enabled>true</enabled>
> <param>
> <name>WEBHDFS</name>
>
> <value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value>
> </param>
> </provider>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
> <provider>
> <role>hostmap</role>
> <name>static</name>
> <enabled>true</enabled>
> <param>
> <name>localhost</name>
> <value>sandbox,sandbox.hortonworks.com</value>
> </param>
> </provider>
> </gateway>
> <service>
> <role>NAMENODE</role>
> <url>hdfs://namenode01.bigdata.fr:8020</url>
> </service>
> <service>
> <role>RESOURCEMANAGER</role>
> <url>http://rm01.bigdata.fr:8088/ws</url>
> </service>
> <service>
> <role>JOBTRACKER</role>
> <url>rpc://rm01.bigdata.fr:8050</url>
> </service>
> <service>
> <role>WEBHDFS</role>
> <url>http://namenode01.bigdata.fr:50070/webhdfs</url>
> <url>http://namenode02.bigdata.fr:50070/webhdfs</url>
> </service>
> <service>
> <role>YARNUI</role>
> <url>http://rm02.bigdata.fr:8088</url>
> </service>
> <service>
> <role>HDFSUI</role>
> <url>http://namenode01.bigdata.fr:50070</url>
> </service>
> <service>
> <role>JOBHISTORYUI</role>
> <url>http://namenode01.bigdata.fr:19888</url>
> </service>
> <service>
> <role>WEBHCAT</role>
> <url>http://metastore01.bigdata.fr:50111/templeton</url>
> </service>
> <service>
> <role>OOZIE</role>
> <url>http://oozie01.bigdata.fr:11000/oozie</url>
> </service>
> <service>
> <role>OOZIEUI</role>
> <url>http://oozie01.bigdata.fr:11000/oozie</url>
> </service>
> <service>
> <role>WEBHBASE</role>
> <url>http://hiveserver01.bigdata.fr:8080</url>
> </service>
> <service>
> <role>HBASEUI</role>
> <url>http://namenode01.bigdata.fr:16010</url>
> </service>
> <service>
> <role>HIVE</role>
> <url>http://hiveserver01.bigdata.fr:10001/bdcorp</url>
> </service>
> <service>
> <role>SPARKHISTORYUI</role>
> <url>http://sparkhistory01.bigdata.fr:18080</url>
> </service>
> </topology>
> {noformat}
> Note: The XML is correct but I cannot validate the topology through knoxcli.
> {noformat}
> [root@knox01 current]# ./bin/knoxcli.sh validate-topology --cluster bigdata
> File to be validated:
> /opt/application/Knox/knox-0.9.1/bin/../conf/topologies/bigdata.xml
> ==========================================
> Error retrieving schema from ClassLoader
> Topology validation unsuccessful
> {noformat}
> Regularly I cannot connect to Knox with my personal account and after a few
> seconds or minutes, I can connect again. The stack trace is below:
> {noformat}
> Aug 25 09:42:16 knox01.bigdata.fr knox INFO -
> org.apache.hadoop.gatewayComputed userDn:
> cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for
> principal: shfs3453
> Aug 25 09:42:16 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayCould
> not login: org.apache.shiro.authc.UsernamePasswordToken - shfs3453,
> rememberMe=false (192.168.64.169)
> Aug 25 09:42:16 knox01.bigdata.fr knox ERROR - org.apache.hadoop.gatewayShiro
> unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 -
> Invalid Credentials]
> Aug 25 09:42:32 knox01.bigdata.fr knox INFO -
> org.apache.hadoop.gatewayComputed userDn:
> cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for
> principal: shfs3453
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
