[ https://issues.apache.org/jira/browse/KNOX-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Larry McCay resolved KNOX-762. ------------------------------ Resolution: Fixed > Remove dependency on httpcomponents httpclient 4.5.2 > ---------------------------------------------------- > > Key: KNOX-762 > URL: https://issues.apache.org/jira/browse/KNOX-762 > Project: Apache Knox > Issue Type: Bug > Components: Server > Reporter: Larry McCay > Assignee: Larry McCay > Fix For: 0.10.0 > > > Reported by Benjamin Ruland: > > I am experiencing problems with Knox while using WebHDFS in a cluster with > Kerberos and SSL. > The KDC is an Microsoft AD 2012. Kerberos-Encryption is set to AES256. Knox > is connected to AD via LDAP sync (this is working fine for other Knox > services). > I am running HDP 2.5 with Knox 0.9.0 > > In general, the cluster runs fine. WebHDFS using SPNEGO is working. > > But when accessing WebHDFS over Knox, I get an 401 error and some strange > logs. > I suspect that Knox is trying to get a ticket for a HTTPS/namenode@REALM > principal, which does not exist. Although running SSL, all principals for > SPNEGO are HTTP/... > > I this a Knox Bug or is this a misconfiguration at some point? > > It would be great, if someone has advice. > > Best regards, > Benjamin > > > > > > The used command is: > > [root@utilitynode ~]# curl -ik -u validuser > "https://utilitynode:8443/gateway/default/webhdfs/v1/?OP=LISTSTATUS" > Enter host password for user 'validuser': > HTTP/1.1 401 Unauthorized > Date: Wed, 12 Oct 2016 07:47:41 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; > Expires=Tue,11-Oct-2016 07:47:41 GMT > WWW-Authenticate: BASIC realm="application" > Content-Length: 0 > Server: Jetty(9.2.15.v20160210) > > > Debug Log in knox gateway.log > > 2016-10-12 09:51:49,735 DEBUG hadoop.gateway > (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/ > 2016-10-12 09:51:49,740 DEBUG hadoop.gateway > (KnoxLdapRealm.java:getUserDn(673)) - Searching from > OU=someOU,DC=somedomain,DC=de where > (&(objectclass=person)(sAMAccountName=validuser)) scope subtree > 2016-10-12 09:51:49,745 INFO hadoop.gateway > (KnoxLdapRealm.java:getUserDn(679)) - Computed userDn: > CN=validuser,OU=Users,OU=someOU,DC=somedomain,DC=de using ldapSearch for > principal: validuser > 2016-10-12 09:51:49,749 DEBUG hadoop.gateway > (UrlRewriteProcessor.java:rewrite(166)) - Rewrote URL: > https://utilitynode:8443/gateway/default/webhdfs/v1/?OP=LISTSTATUS, > direction: IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/root to > URL: https://utilitynode.somedomain.de:50470/webhdfs/v1/?OP=LISTSTATUS > 2016-10-12 09:51:49,749 DEBUG hadoop.gateway > (DefaultDispatch.java:executeOutboundRequest(120)) - Dispatch request: GET > https://utilitynode.somedomain.de:50470/webhdfs/v1/?OP=LISTSTATUS&doAs=validuser > 2016-10-12 09:51:49,781 WARN auth.HttpAuthenticator > (HttpAuthenticator.java:generateAuthResponse(207)) - NEGOTIATE authentication > error: No valid credentials provided (Mechanism level: No valid credentials > provided (Mechanism level: Server not found in Kerberos database (7))) > 2016-10-12 09:51:49,782 DEBUG hadoop.gateway > (DefaultDispatch.java:executeOutboundRequest(133)) - Dispatch response > status: 401 > 2016-10-12 09:51:49,783 DEBUG hadoop.gateway > (DefaultDispatch.java:getInboundResponseContentType(202)) - Using explicit > character set ISO-8859-1 for entity of type text/html > 2016-10-12 09:51:49,783 DEBUG hadoop.gateway > (DefaultDispatch.java:getInboundResponseContentType(210)) - Inbound response > entity content type: text/html; charset=iso-8859-1 > > > Log in knox gateway.out > > Found ticket for knox/utilitynode.somedomain...@somedomain.de to go to > krbtgt/somedomain...@somedomain.de expiring on Wed Oct 12 19:53:51 CEST 2016 > Entered Krb5Context.initSecContext with state=STATE_NEW > Service ticket not found in the subject > >>> Credentials acquireServiceCreds: same realm > default etypes for default_tgs_enctypes: 18. > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > getKDCFromDNS using UDP > >>> KrbKdcReq send: kdc=domaincontroller.somedomain.de. TCP:88, > >>> timeout=30000, number of retries =3, #bytes=1661 > >>> KDCCommunication: kdc=domaincontroller.somedomain.de. TCP:88, > >>> timeout=30000,Attempt =1, #bytes=1661 > >>>DEBUG: TCPClient reading 127 bytes > >>> KrbKdcReq send: #bytes read=127 > >>> KdcAccessibility: remove domaincontroller.somedomain.de.:88 > >>> KDCRep: init() encoding tag is 126 req type is 13 > >>>KRBError: > sTime is Wed Oct 12 09:53:51 CEST 2016 1476258831000 > suSec is 8354 suSec is 8354 > error code is 7 > error Message is Server not found in Kerberos database > sname is HTTPS/namenode.somedomain...@somedomain.de > msgType is 30 > > > Extracts from topology config: > > <topology> > > <gateway> > > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > > <!-- LDAP Sync properties sit here --> > > <provider> > <role>identity-assertion</role> > <name>Default</name> > <enabled>true</enabled> > </provider> > > <provider> > <role>authorization</role> > <name>XASecurePDPKnox</name> > <enabled>true</enabled> > </provider> > > <provider> > <role>ha</role> > <name>HaProvider</name> > <enabled>true</enabled> > <param> > <name>WEBHDFS</name> > > <value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value> > </param> > </provider> > > </gateway> > > <service> > <role>NAMENODE</role> > <url>hdfs://namenode.somedomain.de:8020</url> > <url>hdfs://namenode2.somedomain.de:8020</url> > </service> > > <service> > <role>WEBHDFS</role> > <url>https://namenode.somedomain.de:50470/webhdfs</url> > <url>https://namenode2.somedomain.de:50470/webhdfs</url> > </service> > > </topology> -- This message was sent by Atlassian JIRA (v6.3.4#6332)