[ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082675#comment-15082675 ]
Hadoop QA commented on OOZIE-2427: ---------------------------------- Testing JIRA OOZIE-2427 Cleaning local git workspace ---------------------------- {color:green}+1 PATCH_APPLIES{color} {color:green}+1 CLEAN{color} {color:red}-1 RAW_PATCH_ANALYSIS{color} . {color:green}+1{color} the patch does not introduce any @author tags . {color:green}+1{color} the patch does not introduce any tabs . {color:green}+1{color} the patch does not introduce any trailing spaces . {color:green}+1{color} the patch does not introduce any line longer than 132 . {color:red}-1{color} the patch does not add/modify any testcase {color:green}+1 RAT{color} . {color:green}+1{color} the patch does not seem to introduce new RAT warnings {color:green}+1 JAVADOC{color} . {color:green}+1{color} the patch does not seem to introduce new Javadoc warnings {color:green}+1 COMPILE{color} . {color:green}+1{color} HEAD compiles . {color:green}+1{color} patch compiles . {color:green}+1{color} the patch does not seem to introduce new javac warnings {color:green}+1 BACKWARDS_COMPATIBILITY{color} . {color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations . {color:green}+1{color} the patch does not modify JPA files {color:red}-1 TESTS{color} . Tests run: 1703 . Tests failed: 6 . Tests errors: 0 . The patch failed the following testcases: . testBundleStatusTransitWithLock(org.apache.oozie.service.TestStatusTransitService) . testCoordChangeConcurrency(org.apache.oozie.command.coord.TestCoordChangeXCommand) . testForNoDuplicates(org.apache.oozie.event.TestEventGeneration) . testPurgeWFWithSubWF1(org.apache.oozie.command.TestPurgeXCommand) . testPurgeXCommandFailed(org.apache.oozie.command.TestPurgeXCommand) . testSamplers(org.apache.oozie.util.TestMetricsInstrumentation) {color:green}+1 DISTRO{color} . {color:green}+1{color} distro tarball builds with the patch ---------------------------- {color:red}*-1 Overall result, please check the reported -1(s)*{color} The full output of the test-patch run is available at . https://builds.apache.org/job/oozie-trunk-precommit-build/2693/ > With Kerberos enabled, the authentication failure for the javascript > resources under /ext-2.2 > ---------------------------------------------------------------------------------------------- > > Key: OOZIE-2427 > URL: https://issues.apache.org/jira/browse/OOZIE-2427 > Project: Oozie > Issue Type: Bug > Components: security > Affects Versions: 4.2.0 > Reporter: Gao Zhong Liang > Fix For: trunk > > Attachments: OOZIE-2427.patch > > > With the kerberos authentication enabled, failed to load Oozie console due to > the authentication failure of the javascript resource under /ext-2.2. Go back > the Oozie log, the following error messages found: > 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user > [knox] authenticated > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] > Authentication exception: GSSException: Failure unspecified at GSS-API level > (Mechanism level: Request is a replay (34)) > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: Failure unspecified at GSS-API level (Mechanism level: Request > is a replay (34)) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519) > > Based on the analysis, the issue should related to is related to the jira > HADOOP-8830: > org.apache.hadoop.security.authentication.server.AuthenticationFilter might > be called twice, causing kerberos replay errors > https://issues.apache.org/jira/browse/HADOOP-8830 > 1. Current oozie leverages Hadoop for the authentication. > 2. Based on the resouce difference, it defines the filter for the > authentication, but for some resources such as some js under ext-2.2, they > are always authenticated twice, the reason is beacuse oozie has the following > filter definition: > > <filter-mapping> > <filter-name>authenticationfilter</filter-name> > <url-pattern>*.js</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>authenticationfilter</filter-name> > <url-pattern>/ext-2.2/*</url-pattern> > </filter-mapping> > With the issue in HADOOP-8830, the final authentication is failure, so we > finally get the error 403 in browser(which directly causes the console > disabled). > > 3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug > mode is enabled, logs clearly show that. -- This message was sent by Atlassian JIRA (v6.3.4#6332)