Ahhh - knox user is not likely to be in the users group. You need to use a user or open up the trusted proxy config more - which isn't advisable.
Authenticate as another valid user that happens to be in the users group and it should work. On Wed, Dec 9, 2015 at 12:53 PM, Darpan Patel <[email protected]> wrote: > Hi Larry, > > > Well Got over this issue!!! And seeing new issue now and this time looks > we are really close :) > > Looks like authentication against A/D is happening ( I am making an > educated guess by seeing logs)* Could you please help me pass this hurdle > ?* > > I am seeing the following error while trying to access HDFS using curl: > > > {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"*Failed > to obtain user group information: > org.apache.hadoop.security.authorize.AuthorizationException: User: knox is > not allowed to impersonate knox"*}} > > I am wondering why this is coming we have already set the knox proxy > configuration in for HDFS. IN custom custom-core site.xml > > *hadoop.proxyuser.knox.groups = users* > *hadoop.proxyuser.knox.hosts = KNOX_GATEWAY_HOST_NAME* > > > *Gateway-audit.log* > 15/12/09 17:41:53 > ||30f55697-1c45-46ac-b186-e4a70f4ee1e8|audit|WEBHDFS|knox|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| > 15/12/09 17:41:53 > ||30f55697-1c45-46ac-b186-e4a70f4ee1e8|audit|WEBHDFS|knox|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Groups: > [] > 15/12/09 17:41:53 > ||30f55697-1c45-46ac-b186-e4a70f4ee1e8|audit|WEBHDFS|knox|||authorization|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| > 15/12/09 17:41:53 > ||30f55697-1c45-46ac-b186-e4a70f4ee1e8|audit|WEBHDFS|knox|||dispatch|uri| > http://master01.HDP_CLUSTER:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS|success|Response > status: 403 > 15/12/09 17:41:53 > ||30f55697-1c45-46ac-b186-e4a70f4ee1e8|audit|WEBHDFS|knox|||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response > status: 403 > > > *gateway.lout (Earlier this file was 0 bytes I believe this captures > authentication details)* > > 0530: FE 3E 3D 5E AA C9 60 12 D4 14 A3 3D 07 79 09 88 .>=^..`....=.y.. > 0540: 04 69 F6 89 1F 0F 4F 29 6D 77 F7 9C 83 CB 63 A7 .i....O)mw....c. > 0550: 0E CB 1B 2A 8E F6 79 8A A9 77 97 CB 88 A6 ...*..y..w.... > > *Gateway.log* > > 2015-12-09 17:41:44,915 INFO hadoop.gateway > (KnoxLdapRealm.java:getUserDn(568)) - Computed userDn: CN=knox > knox,CN=Users,DC=test,DC=com using ldapSearch for principal: knox > 2015-12-09 17:41:45,711 INFO hadoop.gateway > (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true > 2015-12-09 17:41:52,588 INFO hadoop.gateway > (KnoxLdapRealm.java:getUserDn(568)) - Computed userDn: CN=knox > knox,CN=Users,DC=test,DC=com using ldapSearch for principal: knox > 2015-12-09 17:41:53,322 INFO hadoop.gateway > (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true > > > *Many thanks,* > DP > > On 9 December 2015 at 14:12, Darpan Patel <[email protected]> wrote: > >> >> Wow.. Larry !! Yeah, knox is a valid user in the A/D. >> Looks like we are close. >> >> Now different error on the console : >> >> <html> >> <head> >> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> >> <title>Error 500 Server Error</title> >> </head> >> <body><h2>HTTP ERROR 500</h2> >> <p>Problem accessing /gateway/default/webhdfs/v1/. Reason: >> <pre> Server Error</pre></p><hr /><i><small>Powered by >> Jetty://</small></i><br/> >> <br/> >> <br/> >> <br/> >> >> >> In the *gateway-audit *file also new log entries. >> >> >> 15/12/09 14:05:51 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|unavailable| >> 15/12/09 14:05:53 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS|knox|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| >> 15/12/09 14:05:53 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS|knox|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Groups: >> [] >> 15/12/09 14:05:53 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS|knox|||authorization|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| >> 15/12/09 14:05:53 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS|knox|||authentication|uri| >> http://master01.HDP_CLUSTER_HOST:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS|failure| >> 15/12/09 14:05:53 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS|knox|||dispatch|uri| >> http://master01.HDP_CLUSTER_HOST:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS|failure| >> 15/12/09 14:05:53 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS|knox|||dispatch|uri| >> http://master01.HDP_CLUSTER_HOST:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS|unavailable| >> *15/12/09 14:05:53 >> ||8efd15c8-5f8a-45dd-8a65-cc3cf4967395|audit|WEBHDFS|knox|||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|failure|* >> >> gateway.log file >> >> 2015-12-09 14:05:51,747 INFO hadoop.gateway >> (KnoxLdapRealm.java:getUserDn(568)) - Computed userDn: CN=knox >> knox,CN=Users,DC=test,DC=com using ldapSearch for principal: knox >> 2015-12-09 14:05:53,239 INFO hadoop.gateway >> (KnoxLdapRealm.java:getUserDn(568)) - Computed userDn: CN=knox >> knox,CN=Users,DC=test,DC=com using ldapSearch for principal: knox >> 2015-12-09 14:05:53,239 INFO hadoop.gateway >> (KnoxLdapRealm.java:rolesFor(255)) - Computed roles/groups: [] for >> principal: knox >> 2015-12-09 14:05:53,240 INFO hadoop.gateway >> (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true >> *2015-12-09 14:05:53,285 ERROR hadoop.gateway >> (AppCookieManager.java:getAppCookie(125)) - Failed Knox->Hadoop >> SPNegotiation authentication for URL: >> http://master01.HDP_CLUSTER_HOST:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS >> <http://master01.HDP_CLUSTER_HOST:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS>* >> *2015-12-09 14:05:53,291 WARN hadoop.gateway >> (DefaultDispatch.java:executeOutboundRequest(129)) - Connection exception >> dispatching request: >> http://master01.HDP_CLUSTER_HOST:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS >> <http://master01.HDP_CLUSTER_HOST:50070/webhdfs/v1/?doAs=knox&op=LISTSTATUS> >> java.io.IOException: SPNego authn failed, can not get hadoop.auth cookie* >> *java.io.IOException: SPNego authn failed, can not get hadoop.auth cookie* >> * at >> org.apache.hadoop.gateway.dispatch.AppCookieManager.getAppCookie(AppCookieManager.java:127)* >> 2015-12-09 14:05:53,295 ERROR hadoop.gateway >> (GatewayServlet.java:service(126)) - Gateway processing failed: >> javax.servlet.ServletException: >> org.apache.shiro.subject.ExecutionException: >> java.security.PrivilegedActionException: java.io.IOException: Service >> connectivity error. >> javax.servlet.ServletException: >> org.apache.shiro.subject.ExecutionException: >> java.security.PrivilegedActionException: java.io.IOException: Service >> connectivity error. >> >> >> On 9 December 2015 at 14:00, larry mccay <[email protected]> wrote: >> >>> Try: >>> >>> curl -iv -k -u knox:#123Password -X GET " >>> https://gateway:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS"; >>> >>> The above assumes that there is a knox user in your AD. >>> >>> On Wed, Dec 9, 2015 at 8:50 AM, Darpan Patel <[email protected]> wrote: >>> >>>> HI Larry, >>>> >>>> Thanks for quick response. the value of contextFactory I missed >>>> somehow.. Now I don't see the contextFactory undefined error but .... When >>>> I try to curl the default gateway for webhdfs still I am seeing the same >>>> console. >>>> >>>> I tried issuing the following curl command with valid TGT in the cache >>>> and after kdestroy and removing the TGT for both I am seeing the same >>>> output. >>>> >>>> curl -iv -k -u [email protected]:#123Password -X GET " >>>> https://gateway:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS"; >>>> also tried >>>> curl -iv -k -X GET " >>>> https://gateway:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS"; >>>> >>>> >>>> I am attaching the default gateway topology file with the email to >>>> avoid lot of texts. >>>> >>>> >>>> In the *gateway.log *I don't see any entry while hitting the curl >>>> >>>> In the *gateway-audit *I see following : >>>> >>>> 15/12/09 13:44:47 >>>> ||d96572dd-a988-4392-b7c8-fcf7e1d154f7|audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|unavailable| >>>> 15/12/09 13:44:48 >>>> ||d96572dd-a988-4392-b7c8-fcf7e1d154f7|audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response >>>> status: 401 >>>> >>>> I am not sure what I am missing!!! >>>> >>>> *Thank you very much for the help.* >>>> >>>> Regards, >>>> DP >>>> >>>> >>>> *Console Output:* >>>> >>>> [root@gateway knox-server]# curl -iv -k -u [email protected]: >>>> KnoxPassword@123 -X GET " >>>> https://gateway:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS"; >>>> * About to connect() to gateway port 8443 (#0) >>>> * Trying 192.168.197.8... >>>> * Connected to gateway (192.168.197.8) port 8443 (#0) >>>> * Initializing NSS with certpath: sql:/etc/pki/nssdb >>>> * skipping SSL peer certificate verification >>>> * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA >>>> * Server certificate: >>>> * subject: >>>> CN=FQDN_OF_My_gateway_HOST,OU=Test,O=Hadoop,L=Test,ST=Test,C=US >>>> * start date: Nov 27 20:36:22 2015 GMT >>>> * expire date: Nov 26 20:36:22 2016 GMT >>>> * common name: FQDN_OF_My_gateway_HOST >>>> * issuer: >>>> CN=FQDN_OF_My_gateway_HOST,OU=Test,O=Hadoop,L=Test,ST=Test,C=US >>>> * Server auth using Basic with user '[email protected]' >>>> > GET /gateway/default/webhdfs/v1/?op=LISTSTATUS HTTP/1.1 >>>> > Authorization: Basic a25veEB0ZXN0LmNvbTojMTIzUGFzc3dvcmQ= >>>> > User-Agent: curl/7.29.0 >>>> > Host: gateway:8443 >>>> > Accept: */* >>>> > >>>> < HTTP/1.1 401 Unauthorized >>>> HTTP/1.1 401 Unauthorized >>>> * Authentication problem. Ignoring this. >>>> < WWW-Authenticate: BASIC realm="application" >>>> WWW-Authenticate: BASIC realm="application" >>>> < Content-Length: 0 >>>> Content-Length: 0 >>>> < Server: Jetty(8.1.14.v20131031) >>>> Server: Jetty(8.1.14.v20131031) >>>> >>>> < >>>> * Connection #0 to host gateway left intact >>>> >>>> >>>> >>>> >>>> >>>> On 9 December 2015 at 13:24, larry mccay <[email protected]> wrote: >>>> >>>>> I meant the version of the topology that I sent you. >>>>> Note the order of the following to config items: >>>>> >>>>> <param> >>>>> <name>main.ldapContextFactory</name> >>>>> >>>>> >>>>> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> >>>>> </param> >>>>> >>>>> <param> >>>>> <name>main.ldapRealm.contextFactory</name> >>>>> <value>$ldapContextFactory</value> >>>>> </param> >>>>> >>>>> Do you have them in that order in the topology that you are using? >>>>> >>>>> On Wed, Dec 9, 2015 at 8:06 AM, Darpan Patel <[email protected]> >>>>> wrote: >>>>> >>>>>> When we keep : >>>>>> >>>>>> <param> >>>>>> <name>main.ldapRealm.contextFactory</name> >>>>>> <value>$ldapContextFactory</value> >>>>>> </param> >>>>>> >>>>>> in the log I see that the context Factory object is not defined >>>>>> previously and hence could not be referred. Any idea for AD 2008/2012 >>>>>> Windows Server what should be the value? >>>>>> >>>>>> I am knox : 0.6.0.2 version. >>>>>> >>>>>> 2015-12-09 12:39:45,185 ERROR env.EnvironmentLoader >>>>>> (EnvironmentLoader.java:initEnvironment(146)) - Shiro environment >>>>>> initialization failed >>>>>> org.apache.shiro.config.UnresolveableReferenceException: The object >>>>>> with id [ldapContextFactory] has not yet been defined and therefore >>>>>> cannot >>>>>> be referenced. Please ensure objects are defined in the order in >>>>>> which they should be created and made available for future reference. >>>>>> >>>>>> Many thanks, >>>>>> DP >>>>>> >>>>>> >>>>>> >>>>>> On 9 December 2015 at 07:58, Darpan Patel <[email protected]> wrote: >>>>>> >>>>>>> Hi Larry, >>>>>>> >>>>>>> I am using the version : 0.6.0.2.3.0.0-2557 of Knox . >>>>>>> >>>>>>> >>>>>>> Checked through curl -u admin:admin-password -i -k >>>>>>> https://localhost:8443/gateway/admin/api/v1/version >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 8 December 2015 at 23:42, larry mccay <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> In the version that I sent you the main.ldapContextFactory is set >>>>>>>> before this entry. >>>>>>>> Is that true in the version that you are using? >>>>>>>> >>>>>>>> On Tue, Dec 8, 2015 at 5:16 PM, Darpan Patel <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Well when I am keeping the param to the following value we get an >>>>>>>>> error. >>>>>>>>> >>>>>>>>> <param> >>>>>>>>>> <name>main.ldapRealm.contextFactory</name> >>>>>>>>>> <value>$ldapContextFactory</value> >>>>>>>>>> </param> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Copying from the gateway.log. (It made me think we need to define >>>>>>>>> the value for ldapContextFactory) >>>>>>>>> >>>>>>>>> 2015-12-08 22:13:58,003 ERROR env.EnvironmentLoader >>>>>>>>> (EnvironmentLoader.java:initEnvironment(146)) - Shiro environment >>>>>>>>> initialization failed >>>>>>>>> org.apache.shiro.config.UnresolveableReferenceException: *The >>>>>>>>> object with id [ldapContextFactory] has not yet been defined and >>>>>>>>> therefore >>>>>>>>> cannot be referenced. * Please ensure objects are defined in the >>>>>>>>> order in which they should be created and made available for future >>>>>>>>> reference. >>>>>>>>> at >>>>>>>>> org.apache.shiro.config.ReflectionBuilder.getReferencedObject(ReflectionBuilder.java:224) >>>>>>>>> at >>>>>>>>> org.apache.shiro.config.ReflectionBuilder.resolveReference(ReflectionBuilder.java:239) >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> DP >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Dec 8, 2015 at 4:59 PM, Darpan Patel <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Thanks for the merged template. I made modifications to it and >>>>>>>>>>> >>>>>>>>>>> I am not sure what value should I fill >>>>>>>>>>> for main.ldapRealm.contextFactory ? >>>>>>>>>>> We are running on windows 2008/2012 Active directory. >>>>>>>>>>> >>>>>>>>>>> <param> >>>>>>>>>>> <name>main.ldapRealm.contextFactory</name> >>>>>>>>>>> <value>$ldapContextFactory</value> >>>>>>>>>>> </param> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I think that you leave it exactly like that. >>>>>>>>>> It is some sort of shiro injection thing - it references the >>>>>>>>>> value defined above it that way. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> I removed this parameter and I see the in the logs: >>>>>>>>>>> >>>>>>>>>>> 2015-12-08 21:56:51,806 ERROR hadoop.gateway >>>>>>>>>>> (KnoxLdapRealm.java:getUserDn(574)) - Failed to get system ldap >>>>>>>>>>> connection: >>>>>>>>>>> javax.naming.AuthenticationException: [LDAP: error code 49 - >>>>>>>>>>> 80090308: >>>>>>>>>>> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data >>>>>>>>>>> 52e, >>>>>>>>>>> v1db1] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ( I am happy to see new error after 3 days phew!!!) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Glad that you are happy but let's getting working and see how you >>>>>>>>>> feel. :) >>>>>>>>>> We'll also roll it into some better documentation for the AD >>>>>>>>>> specific usecase. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> DP >>>>>>>>>>> >>>>>>>>>>> On 8 December 2015 at 14:52, Darpan Patel <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Thanks Larray. >>>>>>>>>>>> I will check this and update you. >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> DP >>>>>>>>>>>> >>>>>>>>>>>> On 8 December 2015 at 12:18, larry mccay <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Darpan - >>>>>>>>>>>>> >>>>>>>>>>>>> The following topology is probably a better starting point for >>>>>>>>>>>>> you AD configuration - I've tried to merge yours with it as best >>>>>>>>>>>>> I can: >>>>>>>>>>>>> >>>>>>>>>>>>> <gateway> >>>>>>>>>>>>> <provider> >>>>>>>>>>>>> <role>authentication</role> >>>>>>>>>>>>> <name>ShiroProvider</name> >>>>>>>>>>>>> <enabled>true</enabled> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>sessionTimeout</name> >>>>>>>>>>>>> <value>30</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm</name> >>>>>>>>>>>>> >>>>>>>>>>>>> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapContextFactory</name> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.contextFactory</name> >>>>>>>>>>>>> <value>$ldapContextFactory</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.contextFactory.url</name> >>>>>>>>>>>>> <!-- ADJUST host, port for your AD setup--> >>>>>>>>>>>>> <value>ldap://IP_OF_WINDOWS_AD:389</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> <!-- ignored due to use of >>>>>>>>>>>>> main.ldapRealm.userSearchAttributeName --> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.userDnTemplate</name> >>>>>>>>>>>>> <value>cn={0},CN=users,DC=test,DC=com</value> >>>>>>>>>>>>> <!-- also tried following values --> >>>>>>>>>>>>> <value>uid={0},CN=users,DC=test,DC=com</value> >>>>>>>>>>>>> <value>cn={0},DC=test,DC=com</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <!-- Param above is ignored sAMAccount is usually used >>>>>>>>>>>>> for AD --> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.userSearchAttributeName</name> >>>>>>>>>>>>> <value>sAMAccountName</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <!-- adjust as appropriate --> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.userObjectClass</name> >>>>>>>>>>>>> <value>person</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <!-- adjust the dn below to match your environment --> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.contextFactory.systemUsername</name> >>>>>>>>>>>>> >>>>>>>>>>>>> <value>cn={systemuser},ou=process,ou=accounts,dc=test,dc=com</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <!-- should be moved to the credential store for the gateway >>>>>>>>>>>>> to be more secure --> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.contextFactory.systemPassword</name> >>>>>>>>>>>>> <value>{systemuser_password}/value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <!-- let's disable for now since you have no >>>>>>>>>>>>> authorization policies defined anyway --> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.authorizationEnabled</name> >>>>>>>>>>>>> <value>false</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>main.ldapRealm.searchBase</name> >>>>>>>>>>>>> <value>cn=users,dc=test,dc=com</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> >>>>>>>>>>>>> <name>main.ldapRealm.memberAttributeValueTemplate</name> >>>>>>>>>>>>> <value>cn={0},cn=users,dc=test,dc=com</value> >>>>>>>>>>>>> <!-- also tried uid={0} --> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> >>>>>>>>>>>>> <value>simple</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> >>>>>>>>>>>>> <param> >>>>>>>>>>>>> <name>urls./**</name> >>>>>>>>>>>>> <value>authcBasic</value> >>>>>>>>>>>>> </param> >>>>>>>>>>>>> </provider> >>>>>>>>>>>>> >>>>>>>>>>>>> <!-- the group principal mapping below is not likely >>>>>>>>>>>>> what you want >>>>>>>>>>>>> note that mapping of the hdfs group to admin. Also, we have >>>>>>>>>>>>> disabled authorization above so there is no need >>>>>>>>>>>>> for groups --> >>>>>>>>>>>>> <provider> >>>>>>>>>>>>> <role>identity-assertion</role> >>>>>>>>>>>>> <name>Default</name> >>>>>>>>>>>>> <enabled>true</enabled> >>>>>>>>>>>>> <!--param> >>>>>>>>>>>>> <name>group.principal.mapping</name> >>>>>>>>>>>>> <value>*=users;hdfs=admin</value> >>>>>>>>>>>>> </param--> >>>>>>>>>>>>> </provider> >>>>>>>>>>>>> >>>>>>>>>>>>> <provider> >>>>>>>>>>>>> <role>authorization</role> >>>>>>>>>>>>> <name>AclsAuthz</name> >>>>>>>>>>>>> <enabled>true</enabled> >>>>>>>>>>>>> </provider> >>>>>>>>>>>>> >>>>>>>>>>>>> </gateway> >>>>>>>>>>>>> >>>>>>>>>>>>> We need to better document the difference between LDAP and AD >>>>>>>>>>>>> for such deployments. >>>>>>>>>>>>> >>>>>>>>>>>>> I've also tried to document some of the changes that I made. >>>>>>>>>>>>> Note that you don't have any authorization ACLs defined in the >>>>>>>>>>>>> AclsAuthz provider so I disabled group lookup. >>>>>>>>>>>>> That will only add complexity to your config - we can >>>>>>>>>>>>> re-enable once authentication is working. >>>>>>>>>>>>> >>>>>>>>>>>>> Please go through this config and ensure that DNs, host and >>>>>>>>>>>>> ports and system usernames match your environment. >>>>>>>>>>>>> >>>>>>>>>>>>> Hope this helps. >>>>>>>>>>>>> >>>>>>>>>>>>> --larry >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Dec 8, 2015 at 5:16 AM, Darpan Patel < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>> >>>>>>>>>>>>>> For this blocker issue let more information if it can help >>>>>>>>>>>>>> fixing the authorization problem. >>>>>>>>>>>>>> Please let me know if more details required. >>>>>>>>>>>>>> (+ dev list) >>>>>>>>>>>>>> >>>>>>>>>>>>>> */etc/krb5.conf* >>>>>>>>>>>>>> >>>>>>>>>>>>>> [libdefaults] >>>>>>>>>>>>>> renew_lifetime = 7d >>>>>>>>>>>>>> forwardable = true >>>>>>>>>>>>>> default_realm = HORTONWORKS.COM >>>>>>>>>>>>>> ticket_lifetime = 24h >>>>>>>>>>>>>> dns_lookup_realm = false >>>>>>>>>>>>>> dns_lookup_kdc = false >>>>>>>>>>>>>> #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 >>>>>>>>>>>>>> #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 >>>>>>>>>>>>>> >>>>>>>>>>>>>> [domain_realm] >>>>>>>>>>>>>> .hortonworks.com = HORTONWORKS.COM >>>>>>>>>>>>>> HORTONWORKS.COm = HORTONWORKS.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> [logging] >>>>>>>>>>>>>> default = FILE:/var/log/krb5kdc.log >>>>>>>>>>>>>> admin_server = FILE:/var/log/kadmind.log >>>>>>>>>>>>>> kdc = FILE:/var/log/krb5kdc.log >>>>>>>>>>>>>> >>>>>>>>>>>>>> [realms] >>>>>>>>>>>>>> HORTONWORKS.COM = { >>>>>>>>>>>>>> admin_server = KDC_SERVER_HOST >>>>>>>>>>>>>> kdc = KDC_SERVER_HOST >>>>>>>>>>>>>> } >>>>>>>>>>>>>> *TEST.COM <http://TEST.COM>* = { >>>>>>>>>>>>>> admin_server = WINDOWS_12_SERVER_AD_HOST >>>>>>>>>>>>>> kdc = WINDOWS_12_SERVER_AD_HOST >>>>>>>>>>>>>> } >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> */usr/hdp/current/knox-server/conf/gateway-site.xml* >>>>>>>>>>>>>> >>>>>>>>>>>>>> <configuration> >>>>>>>>>>>>>> <property> >>>>>>>>>>>>>> <name>*gateway.gateway.conf.dir*</name> >>>>>>>>>>>>>> <value>deployments</value> >>>>>>>>>>>>>> </property> >>>>>>>>>>>>>> <property> >>>>>>>>>>>>>> <name>*gateway.hadoop.kerberos.secured*</name> >>>>>>>>>>>>>> <value>true</value> >>>>>>>>>>>>>> </property> >>>>>>>>>>>>>> <property> >>>>>>>>>>>>>> <name>*gateway.path*</name> >>>>>>>>>>>>>> <value>gateway</value> >>>>>>>>>>>>>> </property> >>>>>>>>>>>>>> <property> >>>>>>>>>>>>>> <name>*gateway.port*</name> >>>>>>>>>>>>>> <value>8443</value> >>>>>>>>>>>>>> </property> >>>>>>>>>>>>>> <property> >>>>>>>>>>>>>> <name>*java.security.auth.login.config*</name> >>>>>>>>>>>>>> <value>/*etc/knox/conf/krb5JAASLogin.conf*</value> >>>>>>>>>>>>>> </property> >>>>>>>>>>>>>> <property> >>>>>>>>>>>>>> <name>*java.security.krb5.conf*</name> >>>>>>>>>>>>>> <value>*/etc/krb5.conf*</value> >>>>>>>>>>>>>> </property> >>>>>>>>>>>>>> <property> >>>>>>>>>>>>>> <name>sun.security.krb5.debug</name> >>>>>>>>>>>>>> <value>true</value> >>>>>>>>>>>>>> </property> >>>>>>>>>>>>>> </configuration> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> */etc/knox/conf/krb5JAASLogin.conf* >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sun.security.jgss.initiate { >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>> renewTGT=true >>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>> keyTab="/etc/security/keytabs/knox.service.keytab" >>>>>>>>>>>>>> principal="knox/[email protected]" >>>>>>>>>>>>>> isInitiator=true >>>>>>>>>>>>>> storeKey=true >>>>>>>>>>>>>> useTicketCache=true >>>>>>>>>>>>>> client=true; >>>>>>>>>>>>>> }; >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> DP >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------- Forwarded message ---------- >>>>>>>>>>>>>> From: Darpan Patel <[email protected]> >>>>>>>>>>>>>> Date: 7 December 2015 at 17:59 >>>>>>>>>>>>>> Subject: Need help setting up Knox for A/D integrated >>>>>>>>>>>>>> Kerberized Cluster >>>>>>>>>>>>>> To: [email protected] >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am stuck on an issue from last two days. I would be really >>>>>>>>>>>>>> grateful if someone can help on this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> We have HDP 2.3 implemented over 8 node cluster and the same >>>>>>>>>>>>>> cluster has been Kerberized and later on we have integrated it >>>>>>>>>>>>>> with Active >>>>>>>>>>>>>> Directory (Which runs in the same VPN). We also verified that >>>>>>>>>>>>>> Windows 2012 >>>>>>>>>>>>>> A/D integration with Ranger works fine for defining policies and >>>>>>>>>>>>>> audit log. >>>>>>>>>>>>>> But I am stuck at Knox bit. I am trying to replicate the same >>>>>>>>>>>>>> configuration >>>>>>>>>>>>>> properties which I have set for Ranger LDAP-AD Integration. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am taking reference of the Hortonworks documentation and >>>>>>>>>>>>>> also Apache Knox documentation. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The A/D domain name is TEST.COM and all the users are under >>>>>>>>>>>>>> Users >>>>>>>>>>>>>> >>>>>>>>>>>>>> [image: Inline images 1] >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Under the Users we have few users one of the them is knox, >>>>>>>>>>>>>> darpan, test,etc. >>>>>>>>>>>>>> >>>>>>>>>>>>>> When we issue following command on the node on which Knox >>>>>>>>>>>>>> Server is running (topology name is default) >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> *curl -iv -k -u [email protected]:#123Password -X GET >>>>>>>>>>>>>> "https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS >>>>>>>>>>>>>> <https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS>" >>>>>>>>>>>>>> OR* >>>>>>>>>>>>>> >>>>>>>>>>>>>> *curl -iv -k -u knox:#123Password -X GET >>>>>>>>>>>>>> "https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS >>>>>>>>>>>>>> <https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS>"* >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Every time I see < HTTP/1.1 401 Unauthorized HTTP/1.1 401 >>>>>>>>>>>>>> Unauthorized on the console. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Entries in the *gateway-audit.log *are like this : >>>>>>>>>>>>>> >>>>>>>>>>>>>> gateway-audit.log >>>>>>>>>>>>>> ================== >>>>>>>>>>>>>> 15/12/07 17:11:08 >>>>>>>>>>>>>> ||38606993-17e2-4c3e-ad4b-e3faea293aae|audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|unavailable| >>>>>>>>>>>>>> 15/12/07 17:11:09 >>>>>>>>>>>>>> ||38606993-17e2-4c3e-ad4b-e3faea293aae|audit|WEBHDFS||||authentication| >>>>>>>>>>>>>> *principal*|*[email protected] <[email protected]>*|failure|*LDAP >>>>>>>>>>>>>> authentication failed.* >>>>>>>>>>>>>> 15/12/07 17:11:09 >>>>>>>>>>>>>> ||38606993-17e2-4c3e-ad4b-e3faea293aae|audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response >>>>>>>>>>>>>> status: 401 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 15/12/07 17:05:28 >>>>>>>>>>>>>> ||5b436e43-b874-40f7-b111-7b262fe5125d|audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|unavailable| >>>>>>>>>>>>>> 15/12/07 17:05:29 >>>>>>>>>>>>>> ||5b436e43-b874-40f7-b111-7b262fe5125d|audit|WEBHDFS||||authentication| >>>>>>>>>>>>>> *principal*|knox|failure|*LDAP authentication failed.* >>>>>>>>>>>>>> 15/12/07 17:05:29 >>>>>>>>>>>>>> ||5b436e43-b874-40f7-b111-7b262fe5125d|audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response >>>>>>>>>>>>>> status: 401 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Gateway.log* >>>>>>>>>>>>>> *===========* >>>>>>>>>>>>>> 2015-12-07 17:05:28,620 INFO hadoop.gateway >>>>>>>>>>>>>> (KnoxLdapRealm.java:getUserDn(550)) - Computed userDn: >>>>>>>>>>>>>> cn=knox,CN=users,DC=test,DC=com using dnTemplate for principal: >>>>>>>>>>>>>> knox >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Following is the part of our *default.xml *topology: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <gateway> >>>>>>>>>>>>>> <provider> >>>>>>>>>>>>>> <role>authentication</role> >>>>>>>>>>>>>> <name>ShiroProvider</name> >>>>>>>>>>>>>> <enabled>true</enabled> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name>sessionTimeout</name> >>>>>>>>>>>>>> <value>30</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name>*main.ldapRealm*</name> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name>*main.ldapContextFactory* >>>>>>>>>>>>>> </name> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name>*main.ldapRealm.userDnTemplate* >>>>>>>>>>>>>> </name> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <value>cn={0},CN=users,DC=test,DC=com</value> >>>>>>>>>>>>>> <!-- also tried following values --> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <value>uid={0},CN=users,DC=test,DC=com</value> >>>>>>>>>>>>>> <value>cn={0},DC=test,DC=com</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name> >>>>>>>>>>>>>> *main.ldapRealm.contextFactory.url*</name> >>>>>>>>>>>>>> <!-- IP Address of the WINDOSWS 2012 >>>>>>>>>>>>>> Acive Directory Server which works for Ranger --> >>>>>>>>>>>>>> <value>*ldap://IP_OF_WINDOWS_AD:389* >>>>>>>>>>>>>> </value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name> >>>>>>>>>>>>>> *main.ldapRealm.authorizationEnabled*</name> >>>>>>>>>>>>>> <value>true</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name>*main.ldapRealm.searchBase* >>>>>>>>>>>>>> </name> >>>>>>>>>>>>>> <value>cn=users,dc=test,dc=com</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name> >>>>>>>>>>>>>> *main.ldapRealm.memberAttributeValueTemplate*</name> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <value>cn={0},cn=users,dc=test,dc=com</value> >>>>>>>>>>>>>> <!-- also tried uid={0} --> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name> >>>>>>>>>>>>>> *main.ldapRealm.contextFactory.authenticationMechanism<* >>>>>>>>>>>>>> /name> >>>>>>>>>>>>>> <value>simple</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name>urls./**</name> >>>>>>>>>>>>>> <value>authcBasic</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> </provider> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <provider> >>>>>>>>>>>>>> <role>*identity-assertion*</role> >>>>>>>>>>>>>> <name>Default</name> >>>>>>>>>>>>>> <enabled>true</enabled> >>>>>>>>>>>>>> <param> >>>>>>>>>>>>>> <name>*group.principal.mapping*</name> >>>>>>>>>>>>>> <value>*=users;hdfs=admin</value> >>>>>>>>>>>>>> </param> >>>>>>>>>>>>>> </provider> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <provider> >>>>>>>>>>>>>> <role>*authorization*</role> >>>>>>>>>>>>>> <name>AclsAuthz</name> >>>>>>>>>>>>>> <enabled>true</enabled> >>>>>>>>>>>>>> </provider> >>>>>>>>>>>>>> >>>>>>>>>>>>>> </gateway> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> And following is the console output while trying to access >>>>>>>>>>>>>> webhdfs using curl >>>>>>>>>>>>>> >>>>>>>>>>>>>> curl -iv -k -u knox:#123Password -X GET " >>>>>>>>>>>>>> https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS >>>>>>>>>>>>>> " >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Console Output:* >>>>>>>>>>>>>> ---------------- >>>>>>>>>>>>>> >>>>>>>>>>>>>> * About to connect() to localhost port 8443 (#0) >>>>>>>>>>>>>> * Trying ::1... >>>>>>>>>>>>>> * Connected to localhost (::1) port 8443 (#0) >>>>>>>>>>>>>> * Initializing NSS with certpath: sql:/etc/pki/nssdb >>>>>>>>>>>>>> * skipping SSL peer certificate verification >>>>>>>>>>>>>> * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA >>>>>>>>>>>>>> * Server certificate: >>>>>>>>>>>>>> * subject: >>>>>>>>>>>>>> CN=FQDN_OF_My_gateway_HOST,OU=Test,O=Hadoop,L=Test,ST=Test,C=US >>>>>>>>>>>>>> * start date: Nov 27 20:36:22 2015 GMT >>>>>>>>>>>>>> * expire date: Nov 26 20:36:22 2016 GMT >>>>>>>>>>>>>> * common name: FQDN_OF_My_gateway_HOST >>>>>>>>>>>>>> * issuer: >>>>>>>>>>>>>> CN=FQDN_OF_My_gateway_HOST,OU=Test,O=Hadoop,L=Test,ST=Test,C=US >>>>>>>>>>>>>> * Server auth using Basic with user 'knox' >>>>>>>>>>>>>> > GET /gateway/default/webhdfs/v1/?op=LISTSTATUS HTTP/1.1 >>>>>>>>>>>>>> > Authorization: Basic a25veDojMTIzUGFzc3dvcmQ= >>>>>>>>>>>>>> > User-Agent: curl/7.29.0 >>>>>>>>>>>>>> > Host: localhost:8443 >>>>>>>>>>>>>> > Accept: */* >>>>>>>>>>>>>> > >>>>>>>>>>>>>> < HTTP/1.1 401 Unauthorized >>>>>>>>>>>>>> HTTP/1.1 401 Unauthorized >>>>>>>>>>>>>> * Authentication problem. Ignoring this. >>>>>>>>>>>>>> < WWW-Authenticate: BASIC realm="application" >>>>>>>>>>>>>> WWW-Authenticate: BASIC realm="application" >>>>>>>>>>>>>> < Content-Length: 0 >>>>>>>>>>>>>> Content-Length: 0 >>>>>>>>>>>>>> < Server: Jetty(8.1.14.v20131031) >>>>>>>>>>>>>> Server: Jetty(8.1.14.v20131031) >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please let me know if any additional information is required. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> DP >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
