[jira] [Created] (OOZIE-2427) With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2

Mon, 04 Jan 2016 22:39:50 -0800 

Gao Zhong Liang created OOZIE-2427:
--------------------------------------

             Summary: With Kerberos enabled, the authentication failure for the 
javascript resources under /ext-2.2 
                 Key: OOZIE-2427
                 URL: https://issues.apache.org/jira/browse/OOZIE-2427
             Project: Oozie
          Issue Type: Bug
          Components: security
    Affects Versions: 4.2.0
            Reporter: Gao Zhong Liang
             Fix For: trunk


With the kerberos authentication enabled, failed to load Oozie console due to 
the authentication failure of the javascript resource under /ext-2.2. Go back 
the Oozie log, the following error messages found:

21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request 
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user 
[knox] authenticated
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request 
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] 
triggering authentication
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request 
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] 
triggering authentication
2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] 
Authentication exception: GSSException: Failure unspecified at GSS-API level 
(Mechanism level: Request is a replay (34))
org.apache.hadoop.security.authentication.client.AuthenticationException: 
GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is 
a replay (34))
    at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
    at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
  

Based on the analysis, the issue should related to is related to the jira  
HADOOP-8830: 
org.apache.hadoop.security.authentication.server.AuthenticationFilter might be 
called twice, causing kerberos replay errors
https://issues.apache.org/jira/browse/HADOOP-8830

1. Current oozie leverages Hadoop for the authentication.
2. Based on the resouce difference, it defines the filter for the  
authentication, but for some resources such as some js under ext-2.2, they are 
always authenticated twice, the reason is beacuse oozie has the following 
filter definition:
 
<filter-mapping>
    <filter-name>authenticationfilter</filter-name>
    <url-pattern>*.js</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>authenticationfilter</filter-name>
    <url-pattern>/ext-2.2/*</url-pattern>
</filter-mapping>
With the issue in HADOOP-8830, the final authentication is failure, so we 
finally get the error 403 in browser(which directly causes the console 
disabled).
 
3. For 2),  it just hit the issue in Jira HADOOP-8830, if the oozie's debug 
mode is enabled, logs clearly show that. 





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to