[ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16447494#comment-16447494 ]
Kevin Risden commented on OOZIE-2427: ------------------------------------- The patch from this issue fixed the exact same error message about "Request is a replay". Our Kerberos authentication is backed by Active Directory and we are on Oozie 4.2.0. > With Kerberos enabled, the authentication failure for the javascript > resources under /ext-2.2 > ---------------------------------------------------------------------------------------------- > > Key: OOZIE-2427 > URL: https://issues.apache.org/jira/browse/OOZIE-2427 > Project: Oozie > Issue Type: Bug > Components: security > Affects Versions: 4.2.0 > Reporter: Gao Zhong Liang > Priority: Major > Fix For: trunk > > Attachments: OOZIE-2427.patch > > > With the kerberos authentication enabled, failed to load Oozie console due to > the authentication failure of the javascript resource under /ext-2.2. Go back > the Oozie log, the following error messages found: > 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user > [knox] authenticated > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] > Authentication exception: GSSException: Failure unspecified at GSS-API level > (Mechanism level: Request is a replay (34)) > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: Failure unspecified at GSS-API level (Mechanism level: Request > is a replay (34)) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519) > > Based on the analysis, the issue should related to is related to the jira > HADOOP-8830: > org.apache.hadoop.security.authentication.server.AuthenticationFilter might > be called twice, causing kerberos replay errors > https://issues.apache.org/jira/browse/HADOOP-8830 > 1. Current oozie leverages Hadoop for the authentication. > 2. Based on the resouce difference, it defines the filter for the > authentication, but for some resources such as some js under ext-2.2, they > are always authenticated twice, the reason is beacuse oozie has the following > filter definition: > > <filter-mapping> > <filter-name>authenticationfilter</filter-name> > <url-pattern>*.js</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>authenticationfilter</filter-name> > <url-pattern>/ext-2.2/*</url-pattern> > </filter-mapping> > With the issue in HADOOP-8830, the final authentication is failure, so we > finally get the error 403 in browser(which directly causes the console > disabled). > > 3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug > mode is enabled, logs clearly show that. -- This message was sent by Atlassian JIRA (v7.6.3#76005)