Hi Larry,
You can find attached the topologies and the stack trace.
thank you in advance,
Nick
On Mon, Oct 2, 2017 at 9:34 PM, larry mccay <[email protected]> wrote:
> Hi Nick -
>
> Can you please provide your topologies that you are using for both
> sandbox.xml and knoxsso.xml?
>
> I have tested OIDC usecase before and would like to compare the
> configuration that you have - I did not try it against Keycloak but it
> should be generic OIDC.
>
> Also, can you provide the full stacktrace from the log?
>
> thanks,
>
> --larry
>
> On Mon, Oct 2, 2017 at 2:22 PM, N. Vidiadakis <[email protected]>
> wrote:
>
>> Hello to all,
>>
>> I'm relatively new to the whole Hadoop/KNOX ecosystem but I'm appointed
>> with relatively more complicated task: integrate KNOX with an Idp and
>> specifically with a Keycloak installation which uses OpenID.
>>
>> I've tried following the User Guide and my current state is I get
>> redirected to the Keycloak Login portal, I enter my credentials and then
>> get back to the KnoxSSO urls with an error 500. The log files contain:
>>
>> gateway.log:
>>
>> Caused by: java.lang.IllegalArgumentException: The client authentication
>> must not be null
>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87)
>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112)
>>
>> gateway-audit.log:
>>
>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991
>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway
>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request method: GET
>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991
>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway
>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response status: 302
>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25
>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:
>> 8443/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request
>> method: GET
>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25
>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:
>> 8443/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response
>> status: 302
>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612
>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=
>> OidcClient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA
>> &code=dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3
>> 532-4e56-a530-de1ea90b078a|unavailable|Request method: GET
>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612
>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=
>> OidcClient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA
>> &code=dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3
>> 532-4e56-a530-de1ea90b078a|failure|
>>
>> Also, Keycloak does not report something out of the ordinary.
>>
>> My question is if and how to further debug this. I also wanted to try a
>> bearer-only configuration but the documentation is not clear enough for the
>> configuration.
>>
>> Please. Help.
>>
>> KR,
>> Nick Vidiadakis
>>
>
>
2017-10-02 18:47:38,545 ERROR hadoop.gateway
(AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter:
java.lang.IllegalArgumentException: The client authentication must not be null
2017-10-02 18:47:38,546 ERROR hadoop.gateway (GatewayFilter.java:doFilter(146))
- Gateway processing failed: javax.servlet.ServletException:
java.lang.IllegalArgumentException: The client authentication must not be null
javax.servlet.ServletException: java.lang.IllegalArgumentException: The client
authentication must not be null
at
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:346)
at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:246)
at
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:140)
at
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:92)
at
org.apache.hadoop.gateway.GatewayServlet.service(GatewayServlet.java:141)
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.hadoop.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.hadoop.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
at
org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.hadoop.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: The client authentication must
not be null
at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87)
at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112)
at
org.pac4j.oidc.client.OidcClient.buildTokenRequest(OidcClient.java:499)
at
org.pac4j.oidc.client.OidcClient.retrieveUserProfile(OidcClient.java:423)
at
org.pac4j.oidc.client.OidcClient.retrieveUserProfile(OidcClient.java:85)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48)
at
org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:85)
at
org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:80)
at
org.apache.hadoop.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:205)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:346)
at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:246)
at
org.apache.hadoop.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
... 32 more
2017-10-02 18:47:38,549 ERROR hadoop.gateway (GatewayServlet.java:service(146))
- Gateway processing failed: javax.servlet.ServletException:
java.lang.IllegalArgumentException: The client authentication must not be null
javax.servlet.ServletException: java.lang.IllegalArgumentException: The client
authentication must not be null
at
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:346)
at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:246)
at
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:140)
at
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:92)
at
org.apache.hadoop.gateway.GatewayServlet.service(GatewayServlet.java:141)
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.hadoop.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.hadoop.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
at
org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.hadoop.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: The client authentication must
not be null
at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87)
at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112)
at
org.pac4j.oidc.client.OidcClient.buildTokenRequest(OidcClient.java:499)
at
org.pac4j.oidc.client.OidcClient.retrieveUserProfile(OidcClient.java:423)
at
org.pac4j.oidc.client.OidcClient.retrieveUserProfile(OidcClient.java:85)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48)
at
org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:85)
at
org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:80)
at
org.apache.hadoop.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:205)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:346)
at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:246)
at
org.apache.hadoop.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
... 32 more
<?xml version="1.0" encoding="utf-8"?>
<topology>
<gateway>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>https://83.212.114.145:8443/gateway/knoxsso/api/v1/websso</value>
</param>
<param>
<name>clientName</name>
<value>OidcClient</value>
</param>
<param>
<name>oidc.id</name>
<value>aegle_knox</value>
</param>
<param>
<name>oidc.secret</name>
<value>724f5269-1c73-42dc-aa34-23b80b08df8b</value>
</param>
<param>
<name>oidc.discoveryUri</name>
<value>https://aegle-keycloak.exodussa.com/auth/realms/AEGLE/.well-known/openid-configuration</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>100000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
</topology>
<?xml version="1.0" encoding="utf-8"?>
<topology>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>cors.enabled</name>
<value>true</value>
</param>
</provider>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://83.212.114.145:8443/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>NAMENODE</role>
<url>hdfs://localhost:8020</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://localhost:8050</url>
</service>
<service>
<role>WEBHDFS</role>
<url>http://83.212.112.144:50070/webhdfs</url>
</service>
<service>
<role>WEBHCAT</role>
<url>http://localhost:50111/templeton</url>
</service>
<service>
<role>OOZIE</role>
<url>http://localhost:11000/oozie</url>
</service>
<service>
<role>WEBHBASE</role>
<url>http://localhost:60080</url>
</service>
<service>
<role>HIVE</role>
<url>http://localhost:10001/cliservice</url>
</service>
<service>
<role>RESOURCEMANAGER</role>
<url>http://83.212.112.144:8088/ws</url>
</service>
<service>
<role>DRUID-COORDINATOR-UI</role>
<url>http://localhost:8081</url>
</service>
<service>
<role>DRUID-COORDINATOR</role>
<url>http://localhost:8081</url>
</service>
<service>
<role>DRUID-BROKER</role>
<url>http://localhost:8082</url>
</service>
<service>
<role>DRUID-ROUTER</role>
<url>http://localhost:8082</url>
</service>
<service>
<role>DRUID-OVERLORD</role>
<url>http://localhost:8090</url>
</service>
<service>
<role>DRUID-OVERLORD-UI</role>
<url>http://localhost:8090</url>
</service>
</topology>
