[
https://issues.apache.org/jira/browse/KNOX-1853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16816632#comment-16816632
]
Miguel Revetria edited comment on KNOX-1853 at 4/15/19 5:37 PM:
----------------------------------------------------------------
I'm wondering if at that point (where the exception is thrown) we can trust
that {{Shiro}} has validated the request, ie: it has authenticated the user if
the URL's path was configured to use {{authcBasic}}. If so, I guess
{{ShiroProvider}} can continue processing the request instead of crashing.
I've tried this approach locally and it seems to work: I can navigate through
Hadoop UI anonymously and then when tried to load a secured path (eg:
{{/jobhistory/conf/job_1555073080493_0014}}) basic authentication is requested.
I'm attaching a patch with the changes: [^patch.patch]
was (Author: remer88):
I'm wondering if at that point (where the exception is thrown) we can trust
that `Shiro` has validated the request, ie: authenticated the user if the url's
path was configured to use `authcBasic`. If so, I guess `ShiroProvider` can
continue processing the request instead of crashing.
I've tried this approach locally and it seems to work: I can navigate through
Hadoop UI anonymously and then when tried to load a secured path (eg:
`/jobhistory/conf/job_1555073080493_0014`) basic authentication is requested.
I'm attaching a patch with the changes: [^patch.patch]
> Can't perform path-based authentication using ShiroProvider
> -----------------------------------------------------------
>
> Key: KNOX-1853
> URL: https://issues.apache.org/jira/browse/KNOX-1853
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 1.2.0
> Environment: Ubuntu 18.04
> Hadoop 2.8.5
> Knox 1.2.0
> Reporter: Miguel Revetria
> Priority: Major
> Attachments: patch.patch
>
>
> {{ShiroSubjectIdentityAdapter}} is throwing {{IllegalStateException}} when
> {{ShiroProvider}} is configured to request authentication for some paths but
> not all of them and the first request is done to an unauthenticated paths.
>
> *Topology configuration:*
>
> {code:xml}
> <topology>
> <gateway>
> <provider>
> <role>authentication</role>
> <name>ShiroProvider</name>
> <enabled>true</enabled>
> <param>
> <name>sessionTimeout</name>
> <value>1</value>
> </param>
> <param name="users.admin" value="admin-secret" />
> <param>
> <name>urls./jobhistory/conf/**</name>
> <value>authcBasic</value>
> </param>
> </provider>
> <provider>
> <role>hostmap</role>
> <name>static</name>
> <enabled>true</enabled>
> <param>
> <name>localhost</name>
> <value>sandbox,sandbox.hortonworks.com</value>
> </param>
> </provider>
> </gateway>
> <service>
> <role>RESOURCEMANAGER</role>
> <url>[http://localhost:8088/ws]</url>
> </service>
> <service>
> <role>YARNUI</role>
> <url>[http://localhost:8088|http://localhost:8088/]</url>
> </service>
> <service>
> <role>NODEUI</role>
> <url>[http://localhost:8042|http://localhost:8042/]</url>
> </service>
> <service>
> <role>JOBHISTORYUI</role>
> <url>[http://localhost:19888|http://localhost:19888/]</url>
> </service>
> </topology>{code}
>
> Using previous configuration, next curl is returning a 500 error
> {code}
> $ curl -Ik -X GET 'https://localhost:8443/gateway/sandbox/yarn'
> HTTP/1.1 500 Server Error
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 343
> Connection: close
> Server: Jetty(9.4.12.v20180830)
> {code}
>
> The error logged in {{gateway.log}} is:
>
> {code}
> 2019-04-12 11:36:43,054 ERROR knox.gateway
> (GatewayServlet.java:service(147)) - Gateway processing failed:
> javax.servlet.ServletException: Filtered request failed.
> javax.servlet.ServletException: Filtered request failed.
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at
> org.apache.knox.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at
> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:168)
> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
> at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:142)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
> at
> org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at
> org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at
> org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:150)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at org.eclipse.jetty.server.Server.handle(Server.java:503)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
> at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
> at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.shiro.subject.ExecutionException:
> java.lang.IllegalStateException: Unable to determine authenticated user from
> Shiro, please check that your Knox Shiro configuration is correct
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:389)
> at
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:72)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> ... 59 more
> Caused by: java.lang.IllegalStateException: Unable to determine
> authenticated user from Shiro, please check that your Knox Shiro
> configuration is correct
> at
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:98)
> at
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:75)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> ... 68 more
> {code}
>
> I'm looking for a way to let anonymous users navigate through some pages at
> Hadoop Web UI but restricting access to certain pages (job's configurations
> file) so sensitive information is not available to everyone with access to
> web console, which is currently hosted in AWS EMR and available via a VPN.
> Shiro seems to support anonymous users and path-based authentication as
> pointed out on its docs, [here|https://shiro.apache.org/web.html#Web-webini]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
