[jira] [Created] (KNOX-1853) Can't perform path-based authentication using ShiroProvider

Fri, 12 Apr 2019 07:55:21 -0700 

Miguel Revetria created KNOX-1853:
-------------------------------------

             Summary: Can't perform path-based authentication using 
ShiroProvider
                 Key: KNOX-1853
                 URL: https://issues.apache.org/jira/browse/KNOX-1853
             Project: Apache Knox
          Issue Type: Bug
    Affects Versions: 1.2.0
         Environment: Ubuntu 18.04
Hadoop 2.8.5
Knox 1.2.0
            Reporter: Miguel Revetria


`ShiroSubjectIdentityAdapter` is throwing `IllegalStateException` when 
`ShiroProvider` is configured to request authentication for some paths but not 
all of them and the first request is done to an unauthenticated paths.
 
*Topology configuration:*
 
```
<topology>
  <gateway>
    <provider>
      <role>authentication</role>
      <name>ShiroProvider</name>
      <enabled>true</enabled>
      <param>
        <name>sessionTimeout</name>
        <value>1</value>
      </param>
      <param name="users.admin" value="admin-secret" />
      <param>
        <name>urls./jobhistory/conf/**</name>
        <value>authcBasic</value>
      </param>
    </provider>

    <provider>
      <role>hostmap</role>
      <name>static</name>
      <enabled>true</enabled>
      <param>
        <name>localhost</name>
        <value>sandbox,sandbox.hortonworks.com</value>
      </param>
    </provider>
  </gateway>

  <service>
    <role>RESOURCEMANAGER</role>
    <url>http://localhost:8088/ws</url>
  </service>

  <service>
    <role>YARNUI</role>
    <url>http://localhost:8088</url>
  </service>

  <service>
    <role>NODEUI</role>
    <url>http://localhost:8042</url>
  </service>

  <service>
    <role>JOBHISTORYUI</role>
    <url>http://localhost:19888</url>
  </service>
</topology>
```
 
Using previous configuration, next curl is returning a 500 error

```
$ curl -Ik -X GET 'https://localhost:8443/gateway/sandbox/yarn'
HTTP/1.1 500 Server Error
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 343
Connection: close
Server: Jetty(9.4.12.v20180830)
```
 
The error logged in `gateway.log` is:
 
```
2019-04-12 11:36:43,054 ERROR knox.gateway (GatewayServlet.java:service(147)) - 
Gateway processing failed: javax.servlet.ServletException: Filtered request 
failed.
javax.servlet.ServletException: Filtered request failed.
        at 
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
        at 
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at 
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
        at 
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
        at 
org.apache.knox.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50)
        at 
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
        at 
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
        at 
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
        at 
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
        at 
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
        at 
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
        at 
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
        at 
org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:168)
        at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
        at 
org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:142)
        at 
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857)
        at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
        at 
org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215)
        at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
        at 
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
        at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
        at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
        at 
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
        at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
        at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
        at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at 
org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at 
org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at 
org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:150)
        at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.Server.handle(Server.java:503)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
        at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
        at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
        at 
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
        at 
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
        at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
        at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
        at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
        at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
        at 
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.shiro.subject.ExecutionException: 
java.lang.IllegalStateException: Unable to determine authenticated user from 
Shiro, please check that your Knox Shiro configuration is correct
        at 
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:389)
        at 
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:72)
        at 
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
        at 
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
        at 
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
        at 
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
        at 
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at 
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at 
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
        at 
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
        ... 59 more
Caused by: java.lang.IllegalStateException: Unable to determine authenticated 
user from Shiro, please check that your Knox Shiro configuration is correct
        at 
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:98)
        at 
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:75)
        at 
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at 
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at 
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
        ... 68 more
```
 
I'm looking for a way to let anonymous users navigate through some pages at 
Hadoop Web UI but restricting access to certain pages (job's configurations 
file) so sensitive information is not available to everyone with access to web 
console, which is currently hosted in AWS EMR and available via a VPN.

Shiro seems to support anonymous users and path-based authentication as pointed 
out on its  docs, [here|https://shiro.apache.org/web.html#Web-webini]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to