[
https://issues.apache.org/jira/browse/KNOX-1853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Miguel Revetria updated KNOX-1853:
----------------------------------
Description:
{{ShiroSubjectIdentityAdapter}} is throwing {{IllegalStateException}} when
{{ShiroProvider}} is configured to request authentication for some paths but
not all of them and the first request is done to an unauthenticated paths.
*Topology configuration:*
{code:xml}
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>1</value>
</param>
<param name="users.admin" value="admin-secret" />
<param>
<name>urls./jobhistory/conf/**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>hostmap</role>
<name>static</name>
<enabled>true</enabled>
<param>
<name>localhost</name>
<value>sandbox,sandbox.hortonworks.com</value>
</param>
</provider>
</gateway>
<service>
<role>RESOURCEMANAGER</role>
<url>[http://localhost:8088/ws]</url>
</service>
<service>
<role>YARNUI</role>
<url>[http://localhost:8088|http://localhost:8088/]</url>
</service>
<service>
<role>NODEUI</role>
<url>[http://localhost:8042|http://localhost:8042/]</url>
</service>
<service>
<role>JOBHISTORYUI</role>
<url>[http://localhost:19888|http://localhost:19888/]</url>
</service>
</topology>{code}
Using previous configuration, next curl is returning a 500 error
{code}
$ curl -Ik -X GET 'https://localhost:8443/gateway/sandbox/yarn'
HTTP/1.1 500 Server Error
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 343
Connection: close
Server: Jetty(9.4.12.v20180830)
{code}
The error logged in {{gateway.log}} is:
{code}
2019-04-12 11:36:43,054 ERROR knox.gateway (GatewayServlet.java:service(147))
- Gateway processing failed: javax.servlet.ServletException: Filtered request
failed.
javax.servlet.ServletException: Filtered request failed.
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at
org.apache.knox.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:168)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:142)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
at
org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:150)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:503)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.shiro.subject.ExecutionException:
java.lang.IllegalStateException: Unable to determine authenticated user from
Shiro, please check that your Knox Shiro configuration is correct
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:389)
at
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:72)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
... 59 more
Caused by: java.lang.IllegalStateException: Unable to determine authenticated
user from Shiro, please check that your Knox Shiro configuration is correct
at
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:98)
at
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:75)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
... 68 more
{code}
I'm looking for a way to let anonymous users navigate through some pages at
Hadoop Web UI but restricting access to certain pages (job's configurations
file) so sensitive information is not available to everyone with access to web
console, which is currently hosted in AWS EMR and available via a VPN.
Shiro seems to support anonymous users and path-based authentication as pointed
out on its docs, [here|https://shiro.apache.org/web.html#Web-webini]
was:
`ShiroSubjectIdentityAdapter` is throwing `IllegalStateException` when
`ShiroProvider` is configured to request authentication for some paths but not
all of them and the first request is done to an unauthenticated paths.
*Topology configuration:*
```
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>1</value>
</param>
<param name="users.admin" value="admin-secret" />
<param>
<name>urls./jobhistory/conf/**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>hostmap</role>
<name>static</name>
<enabled>true</enabled>
<param>
<name>localhost</name>
<value>sandbox,sandbox.hortonworks.com</value>
</param>
</provider>
</gateway>
<service>
<role>RESOURCEMANAGER</role>
<url>http://localhost:8088/ws</url>
</service>
<service>
<role>YARNUI</role>
<url>http://localhost:8088</url>
</service>
<service>
<role>NODEUI</role>
<url>http://localhost:8042</url>
</service>
<service>
<role>JOBHISTORYUI</role>
<url>http://localhost:19888</url>
</service>
</topology>
```
Using previous configuration, next curl is returning a 500 error
```
$ curl -Ik -X GET 'https://localhost:8443/gateway/sandbox/yarn'
HTTP/1.1 500 Server Error
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 343
Connection: close
Server: Jetty(9.4.12.v20180830)
```
The error logged in `gateway.log` is:
```
2019-04-12 11:36:43,054 ERROR knox.gateway (GatewayServlet.java:service(147)) -
Gateway processing failed: javax.servlet.ServletException: Filtered request
failed.
javax.servlet.ServletException: Filtered request failed.
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at
org.apache.knox.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at
org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:168)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
at
org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:142)
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
at
org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:150)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:503)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
at
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
at
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.shiro.subject.ExecutionException:
java.lang.IllegalStateException: Unable to determine authenticated user from
Shiro, please check that your Knox Shiro configuration is correct
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:389)
at
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:72)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
... 59 more
Caused by: java.lang.IllegalStateException: Unable to determine authenticated
user from Shiro, please check that your Knox Shiro configuration is correct
at
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:98)
at
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:75)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
... 68 more
```
I'm looking for a way to let anonymous users navigate through some pages at
Hadoop Web UI but restricting access to certain pages (job's configurations
file) so sensitive information is not available to everyone with access to web
console, which is currently hosted in AWS EMR and available via a VPN.
Shiro seems to support anonymous users and path-based authentication as pointed
out on its docs, [here|https://shiro.apache.org/web.html#Web-webini]
> Can't perform path-based authentication using ShiroProvider
> -----------------------------------------------------------
>
> Key: KNOX-1853
> URL: https://issues.apache.org/jira/browse/KNOX-1853
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 1.2.0
> Environment: Ubuntu 18.04
> Hadoop 2.8.5
> Knox 1.2.0
> Reporter: Miguel Revetria
> Priority: Major
> Attachments: patch.patch
>
>
> {{ShiroSubjectIdentityAdapter}} is throwing {{IllegalStateException}} when
> {{ShiroProvider}} is configured to request authentication for some paths but
> not all of them and the first request is done to an unauthenticated paths.
>
> *Topology configuration:*
>
> {code:xml}
> <topology>
> <gateway>
> <provider>
> <role>authentication</role>
> <name>ShiroProvider</name>
> <enabled>true</enabled>
> <param>
> <name>sessionTimeout</name>
> <value>1</value>
> </param>
> <param name="users.admin" value="admin-secret" />
> <param>
> <name>urls./jobhistory/conf/**</name>
> <value>authcBasic</value>
> </param>
> </provider>
> <provider>
> <role>hostmap</role>
> <name>static</name>
> <enabled>true</enabled>
> <param>
> <name>localhost</name>
> <value>sandbox,sandbox.hortonworks.com</value>
> </param>
> </provider>
> </gateway>
> <service>
> <role>RESOURCEMANAGER</role>
> <url>[http://localhost:8088/ws]</url>
> </service>
> <service>
> <role>YARNUI</role>
> <url>[http://localhost:8088|http://localhost:8088/]</url>
> </service>
> <service>
> <role>NODEUI</role>
> <url>[http://localhost:8042|http://localhost:8042/]</url>
> </service>
> <service>
> <role>JOBHISTORYUI</role>
> <url>[http://localhost:19888|http://localhost:19888/]</url>
> </service>
> </topology>{code}
>
> Using previous configuration, next curl is returning a 500 error
> {code}
> $ curl -Ik -X GET 'https://localhost:8443/gateway/sandbox/yarn'
> HTTP/1.1 500 Server Error
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 343
> Connection: close
> Server: Jetty(9.4.12.v20180830)
> {code}
>
> The error logged in {{gateway.log}} is:
>
> {code}
> 2019-04-12 11:36:43,054 ERROR knox.gateway
> (GatewayServlet.java:service(147)) - Gateway processing failed:
> javax.servlet.ServletException: Filtered request failed.
> javax.servlet.ServletException: Filtered request failed.
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at
> org.apache.knox.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at
> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:168)
> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
> at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:142)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
> at
> org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at
> org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at
> org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:150)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at org.eclipse.jetty.server.Server.handle(Server.java:503)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
> at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
> at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.shiro.subject.ExecutionException:
> java.lang.IllegalStateException: Unable to determine authenticated user from
> Shiro, please check that your Knox Shiro configuration is correct
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:389)
> at
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:72)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> ... 59 more
> Caused by: java.lang.IllegalStateException: Unable to determine
> authenticated user from Shiro, please check that your Knox Shiro
> configuration is correct
> at
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:98)
> at
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:75)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> ... 68 more
> {code}
>
> I'm looking for a way to let anonymous users navigate through some pages at
> Hadoop Web UI but restricting access to certain pages (job's configurations
> file) so sensitive information is not available to everyone with access to
> web console, which is currently hosted in AWS EMR and available via a VPN.
> Shiro seems to support anonymous users and path-based authentication as
> pointed out on its docs, [here|https://shiro.apache.org/web.html#Web-webini]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
