Gao Zhong Liang created OOZIE-2427: -------------------------------------- Summary: With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2 Key: OOZIE-2427 URL: https://issues.apache.org/jira/browse/OOZIE-2427 Project: Oozie Issue Type: Bug Components: security Affects Versions: 4.2.0 Reporter: Gao Zhong Liang Fix For: trunk
With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under /ext-2.2. Go back the Oozie log, the following error messages found: 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34)) org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34)) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519) Based on the analysis, the issue should related to is related to the jira HADOOP-8830: org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors https://issues.apache.org/jira/browse/HADOOP-8830 1. Current oozie leverages Hadoop for the authentication. 2. Based on the resouce difference, it defines the filter for the authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition: <filter-mapping> <filter-name>authenticationfilter</filter-name> <url-pattern>*.js</url-pattern> </filter-mapping> <filter-mapping> <filter-name>authenticationfilter</filter-name> <url-pattern>/ext-2.2/*</url-pattern> </filter-mapping> With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled). 3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that. -- This message was sent by Atlassian JIRA (v6.3.4#6332)