[ https://issues.apache.org/jira/browse/KNOX-745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Risden updated KNOX-745: ------------------------------ Fix Version/s: (was: 1.2.0) > KnoxCLI system-user-auth-test and user-auth-test doesn't work with system > password alias > ---------------------------------------------------------------------------------------- > > Key: KNOX-745 > URL: https://issues.apache.org/jira/browse/KNOX-745 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI > Affects Versions: 0.10.0 > Environment: centos6 > Reporter: Vipin Rathor > Priority: Minor > > When system password alias is used instead of plain text password in Knox > topology, the knoxcli system-user-auth-test and user-auth-test fails to > authenticate. > Issue can be reproduced easily by following these steps: > Steps to reproduce: > 1. Specify these three property in topology (say sandbox.xml) > {code:java} > <param> > <name>main.ldapRealm.authorizationEnabled</name> > <value>true</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.systemUsername</name> > <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.systemPassword</name> > <value>${ALIAS=ldapsystempassword}</value> > </param> > {code} > 2. Save and restart the Knox gateway service > 3. Create password alias: > bin/knoxcli.sh create-alias ldapsystempassword --value 'admin-password' > --cluster sandbox > 4. Both the below command would fail: > {code:java} > bin/knoxcli.sh system-user-auth-test --cluster sandbox --d > org.apache.shiro.authc.AuthenticationException: LDAP authentication failed. > [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot > authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org] > org.apache.shiro.authc.AuthenticationException: LDAP authentication failed. > at > org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:300) > at > org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:193) > at > org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267) > at > org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) > at > org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) > at > org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) > at > org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1069) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.testSysBind(KnoxCLI.java:1171) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPSysBindCommand.execute(KnoxCLI.java:1478) > at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:138) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) > at > org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1675) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at > org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) > at > org.apache.hadoop.gateway.launcher.Command.run(Command.java:101) > at > org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) > at > org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) > Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - > INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user > uid=admin,ou=people,dc=hadoop,dc=apache,dc=org] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3088) > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034) > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2836) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2750) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:317) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) > at javax.naming.InitialContext.init(InitialContext.java:242) > at > javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) > at > org.apache.shiro.realm.ldap.JndiLdapContextFactory.createLdapContext(JndiLdapContextFactory.java:508) > at > org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(JndiLdapContextFactory.java:495) > at > org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:375) > at > org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295) > ... 23 more > Unable to successfully bind to LDAP server with topology credentials. Are > your parameters correct? > {code} > user-auth-test: > {code:java} > bin/knoxcli.sh user-auth-test --cluster sandbox --u guest --p guest-password > --d --g > org.apache.shiro.config.ConfigurationException: Unable to set property > 'contextFactory.systemPassword' with value [S{ALIAS=ldapsystempassword}] on > object of type org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm. If > 'S{ALIAS=ldapsystempassword}' is a reference to another (previously defined) > object, prefix it with '$' to indicate that the referenced object should be > used as the actual value. For example, $S{ALIAS=ldapsystempassword} > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: > Subject could not be created with Shiro Config at sections=main,urls > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: > Subject could not be created with Shiro Config at sections=main,urls > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.getSubject(KnoxCLI.java:1242) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1067) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1104) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1400) > at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:138) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) > at > org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1675) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at > org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) > at > org.apache.hadoop.gateway.launcher.Command.run(Command.java:101) > at > org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) > at > org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) > ERR: Unable to authenticate user: guest > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)