[jira] [Created] (KNOX-762) Remove dependency on httpcomponents httpclient 4.5.2

Fri, 21 Oct 2016 07:34:48 -0700 

Larry McCay created KNOX-762:
--------------------------------

             Summary: Remove dependency on httpcomponents httpclient 4.5.2
                 Key: KNOX-762
                 URL: https://issues.apache.org/jira/browse/KNOX-762
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
            Reporter: Larry McCay
            Assignee: Larry McCay
             Fix For: 0.10.0


Reported by Benjamin Ruland:
 
I am experiencing problems with Knox while using WebHDFS in a cluster with 
Kerberos and SSL.
The KDC is an Microsoft AD 2012. Kerberos-Encryption is set to AES256. Knox is 
connected to AD via LDAP sync (this is working fine for other Knox services).
I am running HDP 2.5 with Knox 0.9.0
 
In general, the cluster runs fine. WebHDFS using SPNEGO is working.
 
But when accessing WebHDFS over Knox, I get an 401 error and some strange logs.
I suspect that Knox is trying to get a ticket for a HTTPS/namenode@REALM 
principal, which does not exist. Although running SSL, all principals for 
SPNEGO are HTTP/...
 
I this a Knox Bug or is this a misconfiguration at some point?
 
It would be great, if someone has advice.
 
Best regards,
Benjamin
 
 
 
 
 
The used command is:
 
[root@utilitynode ~]# curl -ik -u validuser 
"https://utilitynode:8443/gateway/default/webhdfs/v1/?OP=LISTSTATUS";
Enter host password for user 'validuser':
HTTP/1.1 401 Unauthorized
Date: Wed, 12 Oct 2016 07:47:41 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; 
Expires=Tue,11-Oct-2016 07:47:41 GMT
WWW-Authenticate: BASIC realm="application"
Content-Length: 0
Server: Jetty(9.2.15.v20160210)
 
 
Debug Log in knox gateway.log
 
2016-10-12 09:51:49,735 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) 
- Received request: GET /webhdfs/v1/
2016-10-12 09:51:49,740 DEBUG hadoop.gateway 
(KnoxLdapRealm.java:getUserDn(673)) - Searching from 
OU=someOU,DC=somedomain,DC=de where 
(&(objectclass=person)(sAMAccountName=validuser)) scope subtree
2016-10-12 09:51:49,745 INFO  hadoop.gateway 
(KnoxLdapRealm.java:getUserDn(679)) - Computed userDn: 
CN=validuser,OU=Users,OU=someOU,DC=somedomain,DC=de using ldapSearch for 
principal: validuser
2016-10-12 09:51:49,749 DEBUG hadoop.gateway 
(UrlRewriteProcessor.java:rewrite(166)) - Rewrote URL: 
https://utilitynode:8443/gateway/default/webhdfs/v1/?OP=LISTSTATUS, direction: 
IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/root to URL: 
https://utilitynode.somedomain.de:50470/webhdfs/v1/?OP=LISTSTATUS
2016-10-12 09:51:49,749 DEBUG hadoop.gateway 
(DefaultDispatch.java:executeOutboundRequest(120)) - Dispatch request: GET 
https://utilitynode.somedomain.de:50470/webhdfs/v1/?OP=LISTSTATUS&doAs=validuser
2016-10-12 09:51:49,781 WARN  auth.HttpAuthenticator 
(HttpAuthenticator.java:generateAuthResponse(207)) - NEGOTIATE authentication 
error: No valid credentials provided (Mechanism level: No valid credentials 
provided (Mechanism level: Server not found in Kerberos database (7)))
2016-10-12 09:51:49,782 DEBUG hadoop.gateway 
(DefaultDispatch.java:executeOutboundRequest(133)) - Dispatch response status: 
401
2016-10-12 09:51:49,783 DEBUG hadoop.gateway 
(DefaultDispatch.java:getInboundResponseContentType(202)) - Using explicit 
character set ISO-8859-1 for entity of type text/html
2016-10-12 09:51:49,783 DEBUG hadoop.gateway 
(DefaultDispatch.java:getInboundResponseContentType(210)) - Inbound response 
entity content type: text/html; charset=iso-8859-1
 
 
Log in knox gateway.out
 
Found ticket for knox/utilitynode.somedomain...@somedomain.de to go to 
krbtgt/somedomain...@somedomain.de expiring on Wed Oct 12 19:53:51 CEST 2016
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=domaincontroller.somedomain.de. TCP:88, timeout=30000, 
>>> number of retries =3, #bytes=1661
>>> KDCCommunication: kdc=domaincontroller.somedomain.de. TCP:88, 
>>> timeout=30000,Attempt =1, #bytes=1661
>>>DEBUG: TCPClient reading 127 bytes
>>> KrbKdcReq send: #bytes read=127
>>> KdcAccessibility: remove domaincontroller.somedomain.de.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
         sTime is Wed Oct 12 09:53:51 CEST 2016 1476258831000
         suSec is 8354   suSec is 8354
         error code is 7
         error Message is Server not found in Kerberos database
         sname is HTTPS/namenode.somedomain...@somedomain.de
         msgType is 30
 
 
Extracts from topology config:
 
<topology>
 
  <gateway>
 
    <provider>
      <role>authentication</role>
      <name>ShiroProvider</name>
      <enabled>true</enabled>
 
<!-- LDAP Sync properties sit here -->
 
    <provider>
      <role>identity-assertion</role>
      <name>Default</name>
      <enabled>true</enabled>
    </provider>
 
    <provider>
      <role>authorization</role>
      <name>XASecurePDPKnox</name>
      <enabled>true</enabled>
    </provider>
 
    <provider>
      <role>ha</role>
      <name>HaProvider</name>
      <enabled>true</enabled>
      <param>
        <name>WEBHDFS</name>
       
<value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value>
      </param>
    </provider>
 
  </gateway>
 
  <service>
    <role>NAMENODE</role>
    <url>hdfs://namenode.somedomain.de:8020</url>
    <url>hdfs://namenode2.somedomain.de:8020</url>
  </service>
 
  <service>
    <role>WEBHDFS</role>
    <url>https://namenode.somedomain.de:50470/webhdfs</url>
    <url>https://namenode2.somedomain.de:50470/webhdfs</url>
  </service>
 
</topology>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to