[jira] [Commented] (KNOX-916) When REST endpoint enables SPNEGO and there is valid kerberos ticket cache for knox user, REST call through knox will show 401 error

Thu, 30 Mar 2017 10:43:57 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15949484#comment-15949484
 ] 

Shi Wang commented on KNOX-916:
-------------------------------

I can reproduce the error on a rh linux 6.8 machine by kinit knox principal 
(knox/_HOSTNAME) in my case. And then 
curl -ik -u guest:guest-password  -X GET 
https://knox_gateway:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS
show 401 error

in the log, it will show
2017-03-28 22:13:34,700 DEBUG auth.HttpAuthenticator 
(HttpAuthenticator.java:generateAuthResponse(198)) - Generating response to an 
authentication challenge using Negotiate scheme
2017-03-28 22:13:34,701 DEBUG auth.SPNegoScheme 
(GGSSchemeBase.java:authenticate(216)) - init knox_gateway
2017-03-28 22:13:34,801 WARN  auth.HttpAuthenticator 
(HttpAuthenticator.java:generateAuthResponse(207)) - NEGOTIATE authentication 
error: No valid credentials provided (Mechanism level: No valid credentials 
provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! 
(null)))

but if there is no valid ticket cached for knox, it will send the encoded token 
correctly like
2017-03-28 22:27:50,084 DEBUG auth.SPNegoScheme 
(GGSSchemeBase.java:authenticate(240)) - Sending response 
'YIIFDwYGKwYBBQUCoIIFAzCCBP+gDTALBgkqhkiG9xIBAgKhBAMCAfaiggTmBIIE4mCCBN4GCSqGSIb3EgECAgEAboIEzTCC.....
 back to the auth server

Also if look at the jaas file for other services, like hbase rest server, 
region server, they are all using keytab principal for authentication instead 
of cached ticket. I am concerned that allowing both using ticket cache and 
keytab will cause some issues?

Can anyone address the reason why JAAS file for knox is configured this way? 
Thanks! 

> When REST endpoint enables SPNEGO and there is valid kerberos ticket cache 
> for knox user, REST call through knox will show 401 error
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-916
>                 URL: https://issues.apache.org/jira/browse/KNOX-916
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 0.11.0
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>
> For example, if webhdfs uses SPNEGO authentication, and curl through knox, su 
> knoxuser and klist, if there is valid kerberos ticket cached for knoxuser, 
> then it will show 401 unauthorized error. But if the cached ticket expired or 
> do not have any cached ticket, could get 200 correct result.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to