Alexandre Linte created KNOX-746: ------------------------------------ Summary: Unstable LDAP authentication Key: KNOX-746 URL: https://issues.apache.org/jira/browse/KNOX-746 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 0.9.1 Environment: Knox 0.9.1, Hadoop 2.7.2 Reporter: Alexandre Linte
I'm upgrading Knox from 0.7.0 to 0.9.1. My LDAP configuration doesn't change between the two versions. You can find the topology below: {noformat} <topology> <gateway> <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> <name>sessionTimeout</name> <value>30</value> </param> <param> <name>main.ldapRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapContextFactory</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> </param> <param> <name>main.ldapRealm.contextFactory</name> <value>$ldapContextFactory</value> </param> <param> <name>main.ldapRealm.userDnTemplate</name> <value>cn={0},ou=users,ou=kerberos,dc=bigdata,dc=fr</value> </param> <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://ldapmaster01.bigdata.fr:389</value> </param> <param> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> <value>simple</value> </param> <param> <name>main.cacheManager</name> <value>org.apache.shiro.cache.ehcache.EhCacheManager</value> </param> <param> <name>main.securityManager.cacheManager</name> <value>$cacheManager</value> </param> <param> <name>main.ldapRealm.authenticationCachingEnabled</name> <value>true</value> </param> <param> <name>urls./**</name> <value>authcBasic</value> </param> </provider> <provider> <role>ha</role> <name>HaProvider</name> <enabled>true</enabled> <param> <name>WEBHDFS</name> <value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> <provider> <role>hostmap</role> <name>static</name> <enabled>true</enabled> <param> <name>localhost</name> <value>sandbox,sandbox.hortonworks.com</value> </param> </provider> </gateway> <service> <role>NAMENODE</role> <url>hdfs://namenode01.bigdata.fr:8020</url> </service> <service> <role>RESOURCEMANAGER</role> <url>http://rm01.bigdata.fr:8088/ws</url> </service> <service> <role>JOBTRACKER</role> <url>rpc://rm01.bigdata.fr:8050</url> </service> <service> <role>WEBHDFS</role> <url>http://namenode01.bigdata.fr:50070/webhdfs</url> <url>http://namenode02.bigdata.fr:50070/webhdfs</url> </service> <service> <role>YARNUI</role> <url>http://rm02.bigdata.fr:8088</url> </service> <service> <role>HDFSUI</role> <url>http://namenode01.bigdata.fr:50070</url> </service> <service> <role>JOBHISTORYUI</role> <url>http://namenode01.bigdata.fr:19888</url> </service> <service> <role>WEBHCAT</role> <url>http://metastore01.bigdata.fr:50111/templeton</url> </service> <service> <role>OOZIE</role> <url>http://oozie01.bigdata.fr:11000/oozie</url> </service> <service> <role>OOZIEUI</role> <url>http://oozie01.bigdata.fr:11000/oozie</url> </service> <service> <role>WEBHBASE</role> <url>http://hiveserver01.bigdata.fr:8080</url> </service> <service> <role>HBASEUI</role> <url>http://namenode01.bigdata.fr:16010</url> </service> <service> <role>HIVE</role> <url>http://hiveserver01.bigdata.fr:10001/bdcorp</url> </service> <service> <role>SPARKHISTORYUI</role> <url>http://sparkhistory01.bigdata.fr:18080</url> </service> </topology> {noformat} Note: The XML is correct but I cannot validate the topology through knoxcli. {noformat} [root@uabigknox01 current]# ./bin/knoxcli.sh validate-topology --cluster bigdata File to be validated: /opt/application/Knox/knox-0.9.1/bin/../conf/topologies/bigdata.xml ========================================== Error retrieving schema from ClassLoader Topology validation unsuccessful {noformat} Regularly I cannot connect to Knox with my personal account and after a few seconds or minutes, I can connect again. The stack trace is below: {noformat} Aug 25 09:42:16 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayComputed userDn: cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for principal: shfs3453 Aug 25 09:42:16 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayCould not login: org.apache.shiro.authc.UsernamePasswordToken - shfs3453, rememberMe=false (192.168.64.169) Aug 25 09:42:16 knox01.bigdata.fr knox ERROR - org.apache.hadoop.gatewayShiro unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] Aug 25 09:42:32 knox01.bigdata.fr knox INFO - org.apache.hadoop.gatewayComputed userDn: cn=shfs3453,ou=users,ou=kerberos,dc=bigdata,dc=fr using dnTemplate for principal: shfs3453 {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)