[ https://issues.apache.org/jira/browse/KNOX-746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551166#comment-15551166 ]
Alexandre Linte commented on KNOX-746: -------------------------------------- To complete my previous answer, here is the full log stack: {noformat} Oct 6 09:11:06 knox01 knox INFO - org.apache.hadoop.gatewayCould not login: org.apache.shiro.authc.UsernamePasswordToken - shfs3453, rememberMe=false (192.168.200.208) Oct 6 09:11:06 knox01 knox DEBUG - org.apache.hadoop.gatewayFailed to Authenticate with LDAP server: {1} Oct 6 09:11:06 localhost org.apache.shiro.authc.AuthenticationException: LDAP authentication failed. Oct 6 09:11:06 localhost at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:300) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:193) Oct 6 09:11:06 localhost at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) Oct 6 09:11:06 localhost at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180) Oct 6 09:11:06 localhost at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267) Oct 6 09:11:06 localhost at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) Oct 6 09:11:06 localhost at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) Oct 6 09:11:06 localhost at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) Oct 6 09:11:06 localhost at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) Oct 6 09:11:06 localhost at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53) Oct 6 09:11:06 localhost at org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter.onAccessDenied(BasicHttpAuthenticationFilter.java:190) Oct 6 09:11:06 localhost at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133) Oct 6 09:11:06 localhost at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162) Oct 6 09:11:06 localhost at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203) Oct 6 09:11:06 localhost at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178) Oct 6 09:11:06 localhost at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131) Oct 6 09:11:06 localhost at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) Oct 6 09:11:06 localhost at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) Oct 6 09:11:06 localhost at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) Oct 6 09:11:06 localhost at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) Oct 6 09:11:06 localhost at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) Oct 6 09:11:06 localhost at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) Oct 6 09:11:06 localhost at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) Oct 6 09:11:06 localhost at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) Oct 6 09:11:06 localhost at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:139) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:91) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.GatewayServlet.service(GatewayServlet.java:138) Oct 6 09:11:06 localhost at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) Oct 6 09:11:06 localhost at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) Oct 6 09:11:06 localhost at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) Oct 6 09:11:06 localhost at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.trace.TraceHandler.handle(TraceHandler.java:51) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.Server.handle(Server.java:499) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) Oct 6 09:11:06 localhost at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) Oct 6 09:11:06 localhost at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) Oct 6 09:11:06 localhost at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) Oct 6 09:11:06 localhost at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) Oct 6 09:11:06 localhost at java.lang.Thread.run(Thread.java:745) Oct 6 09:11:06 Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3088) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2836) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2750) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:317) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) Oct 6 09:11:06 localhost at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) Oct 6 09:11:06 localhost at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) Oct 6 09:11:06 localhost at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) Oct 6 09:11:06 localhost at javax.naming.InitialContext.init(InitialContext.java:242) Oct 6 09:11:06 localhost at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) Oct 6 09:11:06 localhost at org.apache.shiro.realm.ldap.JndiLdapContextFactory.createLdapContext(JndiLdapContextFactory.java:508) Oct 6 09:11:06 localhost at org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory.createLdapContext(KnoxLdapContextFactory.java:63) Oct 6 09:11:06 localhost at org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(JndiLdapContextFactory.java:495) Oct 6 09:11:06 localhost at org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:375) Oct 6 09:11:06 localhost at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295) Oct 6 09:11:06 localhost ... 61 more Oct 6 09:11:06 knox01 knox ERROR - org.apache.hadoop.gatewayShiro unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] {noformat} The error code is crazy because it's the right username and password. I don't understand the mistake. > Unstable LDAP authentication > ---------------------------- > > Key: KNOX-746 > URL: https://issues.apache.org/jira/browse/KNOX-746 > Project: Apache Knox > Issue Type: Bug > Components: Server > Affects Versions: 0.9.1 > Environment: Knox 0.9.1, Hadoop 2.7.2 > Reporter: Alexandre Linte > > I'm upgrading Knox from 0.7.0 to 0.9.1. My LDAP configuration doesn't change > between the two versions. You can find the topology below: > {noformat} > <topology> > <gateway> > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > <param> > <name>sessionTimeout</name> > <value>30</value> > </param> > <param> > <name>main.ldapRealm</name> > > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> > </param> > <param> > <name>main.ldapContextFactory</name> > > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> > </param> > <param> > <name>main.ldapRealm.contextFactory</name> > <value>$ldapContextFactory</value> > </param> > <param> > <name>main.ldapRealm.userDnTemplate</name> > <value>cn={0},ou=users,ou=kerberos,dc=bigdata,dc=fr</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.url</name> > <value>ldap://ldapmaster01.bigdata.fr:389</value> > </param> > <param> > > <name>main.ldapRealm.contextFactory.authenticationMechanism</name> > <value>simple</value> > </param> > <param> > <name>main.cacheManager</name> > <value>org.apache.shiro.cache.ehcache.EhCacheManager</value> > </param> > <param> > <name>main.securityManager.cacheManager</name> > <value>$cacheManager</value> > </param> > <param> > <name>main.ldapRealm.authenticationCachingEnabled</name> > <value>true</value> > </param> > <param> > <name>urls./**</name> > <value>authcBasic</value> > </param> > </provider> > <provider> > <role>ha</role> > <name>HaProvider</name> > <enabled>true</enabled> > <param> > <name>WEBHDFS</name> > > <value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value> > </param> > </provider> > <provider> > <role>identity-assertion</role> > <name>Default</name> > <enabled>true</enabled> > </provider> > <provider> > <role>hostmap</role> > <name>static</name> > <enabled>true</enabled> > <param> > <name>localhost</name> > <value>sandbox,sandbox.hortonworks.com</value> > </param> > </provider> > </gateway> > <service> > <role>NAMENODE</role> > <url>hdfs://namenode01.bigdata.fr:8020</url> > </service> > <service> > <role>RESOURCEMANAGER</role> > <url>http://rm01.bigdata.fr:8088/ws</url> > </service> > <service> > <role>JOBTRACKER</role> > <url>rpc://rm01.bigdata.fr:8050</url> > </service> > <service> > <role>WEBHDFS</role> > <url>http://namenode01.bigdata.fr:50070/webhdfs</url> > <url>http://namenode02.bigdata.fr:50070/webhdfs</url> > </service> > <service> > <role>YARNUI</role> > <url>http://rm02.bigdata.fr:8088</url> > </service> > <service> > <role>HDFSUI</role> > <url>http://namenode01.bigdata.fr:50070</url> > </service> > <service> > <role>JOBHISTORYUI</role> > <url>http://namenode01.bigdata.fr:19888</url> > </service> > <service> > <role>WEBHCAT</role> > <url>http://metastore01.bigdata.fr:50111/templeton</url> > </service> > <service> > <role>OOZIE</role> > <url>http://oozie01.bigdata.fr:11000/oozie</url> > </service> > <service> > <role>OOZIEUI</role> > <url>http://oozie01.bigdata.fr:11000/oozie</url> > </service> > <service> > <role>WEBHBASE</role> > <url>http://hiveserver01.bigdata.fr:8080</url> > </service> > <service> > <role>HBASEUI</role> > <url>http://namenode01.bigdata.fr:16010</url> > </service> > <service> > <role>HIVE</role> > <url>http://hiveserver01.bigdata.fr:10001/bdcorp</url> > </service> > <service> > <role>SPARKHISTORYUI</role> > <url>http://sparkhistory01.bigdata.fr:18080</url> > </service> > </topology> > {noformat} > Note: The XML is correct but I cannot validate the topology through knoxcli. > {noformat} > [root@knox01 current]# ./bin/knoxcli.sh validate-topology --cluster bigdata > File to be validated: > /opt/application/Knox/knox-0.9.1/bin/../conf/topologies/bigdata.xml > ========================================== > Error retrieving schema from ClassLoader > Topology validation unsuccessful > {noformat} > Regularly I cannot connect to Knox with my personal account and after a few > seconds or minutes, I can connect again. The stack trace is below: > {noformat} > Aug 25 09:42:16 knox01.bigdata.fr knox INFO - > org.apache.hadoop.gatewayComputed userDn: > cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for > principal: shfs3453 > Aug 25 09:42:16 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayCould > not login: org.apache.shiro.authc.UsernamePasswordToken - shfs3453, > rememberMe=false (192.168.64.169) > Aug 25 09:42:16 knox01.bigdata.fr knox ERROR - org.apache.hadoop.gatewayShiro > unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 - > Invalid Credentials] > Aug 25 09:42:32 knox01.bigdata.fr knox INFO - > org.apache.hadoop.gatewayComputed userDn: > cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for > principal: shfs3453 > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)