[
https://issues.apache.org/jira/browse/HDFS-14845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16928304#comment-16928304
]
Akira Ajisaka edited comment on HDFS-14845 at 9/12/19 7:21 AM:
---------------------------------------------------------------
Our settings related to AuthFilter are as follows
* hadoop.http.authentication.type:
org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
* httpfs.authentication.zk-dt-secret-manager.enable: true
* httpfs.authentication.type: kerberos
After HADOOP-16314, JWTRedirectAuthenticationHandler is enabled for httpfs in
addition to KerberosDelegationTokenAuthenticationHandler, which is set by
HttpFSAuthenticationFilter.
Now our workaround is to set "hadoop.http.authentication.type" to "simple" to
discard the common filter (JWTRedirectAuthenticationHandler) in httpfs.
was (Author: ajisakaa):
Our settings related to AuthFilter are as follows
* hadoop.http.authentication.type:
org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
* httpfs.authentication.zk-dt-secret-manager.enable: true
* httpfs.authentication.type: kerberos
After HADOOP-16366, JWTRedirectAuthenticationHandler is enabled for httpfs in
addition to KerberosDelegationTokenAuthenticationHandler, which is set by
HttpFSAuthenticationFilter.
Now our workaround is to set "hadoop.http.authentication.type" to "simple" to
discard the common filter (JWTRedirectAuthenticationHandler) in httpfs.
> Request is a replay (34) error in httpfs
> ----------------------------------------
>
> Key: HDFS-14845
> URL: https://issues.apache.org/jira/browse/HDFS-14845
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: httpfs
> Affects Versions: 3.3.0
> Environment: Kerberos and ZKDelgationTokenSecretManager enabled in
> HttpFS
> Reporter: Akira Ajisaka
> Priority: Critical
>
> We are facing "Request is a replay (34)" error when accessing to HDFS via
> httpfs on trunk.
> {noformat}
> % curl -i --negotiate -u : "https://<host>:4443/webhdfs/v1/?op=liststatus"
> HTTP/1.1 401 Authentication required
> Date: Mon, 09 Sep 2019 06:00:04 GMT
> Date: Mon, 09 Sep 2019 06:00:04 GMT
> Pragma: no-cache
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> WWW-Authenticate: Negotiate
> Set-Cookie: hadoop.auth=; Path=/; Secure; HttpOnly
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 271
> HTTP/1.1 403 GSSException: Failure unspecified at GSS-API level (Mechanism
> level: Request is a replay (34))
> Date: Mon, 09 Sep 2019 06:00:04 GMT
> Date: Mon, 09 Sep 2019 06:00:04 GMT
> Pragma: no-cache
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> (snip)
> Set-Cookie: hadoop.auth=; Path=/; Secure; HttpOnly
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 413
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 GSSException: Failure unspecified at GSS-API level
> (Mechanism level: Request is a replay (34))</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /webhdfs/v1/. Reason:
> <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Request is a replay (34))</pre></p>
> </body>
> </html>
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
