Alexandre Linte created KNOX-746:
------------------------------------
Summary: Unstable LDAP authentication
Key: KNOX-746
URL: https://issues.apache.org/jira/browse/KNOX-746
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 0.9.1
Environment: Knox 0.9.1, Hadoop 2.7.2
Reporter: Alexandre Linte
I'm upgrading Knox from 0.7.0 to 0.9.1. My LDAP configuration doesn't change
between the two versions. You can find the topology below:
{noformat}
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>cn={0},ou=users,ou=kerberos,dc=bigdata,dc=fr</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://ldapmaster01.bigdata.fr:389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>main.cacheManager</name>
<value>org.apache.shiro.cache.ehcache.EhCacheManager</value>
</param>
<param>
<name>main.securityManager.cacheManager</name>
<value>$cacheManager</value>
</param>
<param>
<name>main.ldapRealm.authenticationCachingEnabled</name>
<value>true</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>ha</role>
<name>HaProvider</name>
<enabled>true</enabled>
<param>
<name>WEBHDFS</name>
<value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>hostmap</role>
<name>static</name>
<enabled>true</enabled>
<param>
<name>localhost</name>
<value>sandbox,sandbox.hortonworks.com</value>
</param>
</provider>
</gateway>
<service>
<role>NAMENODE</role>
<url>hdfs://namenode01.bigdata.fr:8020</url>
</service>
<service>
<role>RESOURCEMANAGER</role>
<url>http://rm01.bigdata.fr:8088/ws</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://rm01.bigdata.fr:8050</url>
</service>
<service>
<role>WEBHDFS</role>
<url>http://namenode01.bigdata.fr:50070/webhdfs</url>
<url>http://namenode02.bigdata.fr:50070/webhdfs</url>
</service>
<service>
<role>YARNUI</role>
<url>http://rm02.bigdata.fr:8088</url>
</service>
<service>
<role>HDFSUI</role>
<url>http://namenode01.bigdata.fr:50070</url>
</service>
<service>
<role>JOBHISTORYUI</role>
<url>http://namenode01.bigdata.fr:19888</url>
</service>
<service>
<role>WEBHCAT</role>
<url>http://metastore01.bigdata.fr:50111/templeton</url>
</service>
<service>
<role>OOZIE</role>
<url>http://oozie01.bigdata.fr:11000/oozie</url>
</service>
<service>
<role>OOZIEUI</role>
<url>http://oozie01.bigdata.fr:11000/oozie</url>
</service>
<service>
<role>WEBHBASE</role>
<url>http://hiveserver01.bigdata.fr:8080</url>
</service>
<service>
<role>HBASEUI</role>
<url>http://namenode01.bigdata.fr:16010</url>
</service>
<service>
<role>HIVE</role>
<url>http://hiveserver01.bigdata.fr:10001/bdcorp</url>
</service>
<service>
<role>SPARKHISTORYUI</role>
<url>http://sparkhistory01.bigdata.fr:18080</url>
</service>
</topology>
{noformat}
Note: The XML is correct but I cannot validate the topology through knoxcli.
{noformat}
[root@uabigknox01 current]# ./bin/knoxcli.sh validate-topology --cluster bigdata
File to be validated:
/opt/application/Knox/knox-0.9.1/bin/../conf/topologies/bigdata.xml
==========================================
Error retrieving schema from ClassLoader
Topology validation unsuccessful
{noformat}
Regularly I cannot connect to Knox with my personal account and after a few
seconds or minutes, I can connect again. The stack trace is below:
{noformat}
Aug 25 09:42:16 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayComputed
userDn: cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for
principal: shfs3453
Aug 25 09:42:16 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayCould
not login: org.apache.shiro.authc.UsernamePasswordToken - shfs3453,
rememberMe=false (192.168.64.169)
Aug 25 09:42:16 knox01.bigdata.fr knox ERROR - org.apache.hadoop.gatewayShiro
unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 -
Invalid Credentials]
Aug 25 09:42:32 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayComputed
userDn: cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for
principal: shfs3453
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
