[
https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andras Piros updated OOZIE-2427:
--------------------------------
Summary: [Kerberos] Authentication failure for the javascript resources
under /ext-2.2 (was: With Kerberos enabled, the authentication failure for the
javascript resources under /ext-2.2 )
> [Kerberos] Authentication failure for the javascript resources under /ext-2.2
> -----------------------------------------------------------------------------
>
> Key: OOZIE-2427
> URL: https://issues.apache.org/jira/browse/OOZIE-2427
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 4.2.0
> Reporter: Gao Zhong Liang
> Priority: Major
> Fix For: trunk
>
> Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to
> the authentication failure of the javascript resource under {{/ext-2.2}}. Go
> back the Oozie log, the following error messages found:
> {noformat}
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user
> [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**]
> Authentication exception: GSSException: Failure unspecified at GSS-API level
> (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request
> is a replay (34))
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
>
> {noformat}
> Based on the analysis, the issue should related to is related to the jira
> [*HADOOP-8830*|https://issues.apache.org/jira/browse/HADOOP-8830]:
> {{org.apache.hadoop.security.authentication.server.AuthenticationFilter}}
> might be called twice, causing kerberos replay errors.
> # Current oozie leverages Hadoop for the authentication.
> # Based on the resouce difference, it defines the filter for the
> authentication, but for some resources such as some js under ext-2.2, they
> are always authenticated twice, the reason is beacuse oozie has the following
> filter definition:
> {code:xml}
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>*.js</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>authenticationfilter</filter-name>
> <url-pattern>/ext-2.2/*</url-pattern>
> </filter-mapping>
> {code}
> With the issue in HADOOP-8830, the final authentication is failure, so we
> finally get the error 403 in browser(which directly causes the console
> disabled).
> # For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug
> mode is enabled, logs clearly show that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
