[
https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andras Piros updated OOZIE-2427:
--------------------------------
Description:
With the kerberos authentication enabled, failed to load Oozie console due to
the authentication failure of the javascript resource under {{/ext-2.2}}. Go
back the Oozie log, the following error messages found:
{noformat}
21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user
[knox] authenticated
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
triggering authentication
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
triggering authentication
2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**]
Authentication exception: GSSException: Failure unspecified at GSS-API level
(Mechanism level: Request is a replay (34))
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is
a replay (34))
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
at
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
{noformat}
Based on the analysis, the issue should related to is related to the jira
[*HADOOP-8830*|https://issues.apache.org/jira/browse/HADOOP-8830]:
{{org.apache.hadoop.security.authentication.server.AuthenticationFilter}} might
be called twice, causing kerberos replay errors.
# Current oozie leverages Hadoop for the authentication.
# Based on the resouce difference, it defines the filter for the
authentication, but for some resources such as some js under ext-2.2, they are
always authenticated twice, the reason is beacuse oozie has the following
filter definition:
{code:xml}
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>*.js</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>/ext-2.2/*</url-pattern>
</filter-mapping>
{code}
With the issue in HADOOP-8830, the final authentication is failure, so we
finally get the error 403 in browser(which directly causes the console
disabled).
# For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode
is enabled, logs clearly show that.
was:
With the kerberos authentication enabled, failed to load Oozie console due to
the authentication failure of the javascript resource under /ext-2.2. Go back
the Oozie log, the following error messages found:
21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user
[knox] authenticated
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
triggering authentication
2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
[http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
triggering authentication
2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**]
Authentication exception: GSSException: Failure unspecified at GSS-API level
(Mechanism level: Request is a replay (34))
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is
a replay (34))
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
at
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
Based on the analysis, the issue should related to is related to the jira
HADOOP-8830:
org.apache.hadoop.security.authentication.server.AuthenticationFilter might be
called twice, causing kerberos replay errors
https://issues.apache.org/jira/browse/HADOOP-8830
1. Current oozie leverages Hadoop for the authentication.
2. Based on the resouce difference, it defines the filter for the
authentication, but for some resources such as some js under ext-2.2, they are
always authenticated twice, the reason is beacuse oozie has the following
filter definition:
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>*.js</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>authenticationfilter</filter-name>
<url-pattern>/ext-2.2/*</url-pattern>
</filter-mapping>
With the issue in HADOOP-8830, the final authentication is failure, so we
finally get the error 403 in browser(which directly causes the console
disabled).
3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug
mode is enabled, logs clearly show that.
> With Kerberos enabled, the authentication failure for the javascript
> resources under /ext-2.2
> ----------------------------------------------------------------------------------------------
>
> Key: OOZIE-2427
> URL: https://issues.apache.org/jira/browse/OOZIE-2427
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 4.2.0
> Reporter: Gao Zhong Liang
> Priority: Major
> Fix For: trunk
>
> Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to
> the authentication failure of the javascript resource under {{/ext-2.2}}. Go
> back the Oozie log, the following error messages found:
> {noformat}
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user
> [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**]
> Authentication exception: GSSException: Failure unspecified at GSS-API level
> (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request
> is a replay (34))
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
>
> {noformat}
> Based on the analysis, the issue should related to is related to the jira
> [*HADOOP-8830*|https://issues.apache.org/jira/browse/HADOOP-8830]:
> {{org.apache.hadoop.security.authentication.server.AuthenticationFilter}}
> might be called twice, causing kerberos replay errors.
> # Current oozie leverages Hadoop for the authentication.
> # Based on the resouce difference, it defines the filter for the
> authentication, but for some resources such as some js under ext-2.2, they
> are always authenticated twice, the reason is beacuse oozie has the following
> filter definition:
> {code:xml}
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>*.js</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>/ext-2.2/*</url-pattern>
> </filter-mapping>
> {code}
> With the issue in HADOOP-8830, the final authentication is failure, so we
> finally get the error 403 in browser(which directly causes the console
> disabled).
> # For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug
> mode is enabled, logs clearly show that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
