[ https://issues.apache.org/jira/browse/CALCITE-1922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josh Elser resolved CALCITE-1922. --------------------------------- Resolution: Fixed Fixed in https://git-wip-us.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=d19740921dfab7fae981bc10c07fd1bcbd9de56b > Work around Jetty issue where Kerberos v5 OID is disallowed for SPNEGO > authentication > ------------------------------------------------------------------------------------- > > Key: CALCITE-1922 > URL: https://issues.apache.org/jira/browse/CALCITE-1922 > Project: Calcite > Issue Type: Bug > Components: avatica > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: avatica-1.11.0 > > > This appears to be another Jetty bug around SPNEGO. Huge thank you to > [~kishore1729] for his help in debugging this issue. I could not have done it > without his help. > Deploying the Avatica server behind a reverse-proxy, we observed that the > server would deny the authentication requests from the client (whereas the > client talking directly to Avatica was successful). Pardon the Phoenix > classes instead of Avatica itself: > {noformat} > 2017-08-03 19:09:29,440 WARN > org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService: > GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept > at > sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) > at > org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:137) > at > org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61) > at > org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99) > at > org.apache.calcite.avatica.server.AvaticaSpnegoAuthenticator.validateRequest(AvaticaSpnegoAuthenticator.java:43) > at > org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512) > at > org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) > at > org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) > at > org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:499) > at > org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) > at > org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) > at > org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) > at > org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) > at > org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) > at java.lang.Thread.run(Thread.java:748) > 2017-08-03 19:09:29,441 DEBUG > org.apache.calcite.avatica.server.AvaticaJsonHandler: HTTP request from > 10.0.0.63 is unauthenticated and authentication is required > {noformat} > Investigating this further, we found that Jetty's SpnegoLoginService was > explicitly only allowing an OID of 1.3.6.1.5.5.2 instead of allowing both > 1.3.6.1.5.5.2 for SPNEGO and 1.2.840.113554.1.2.2 for Kerberos v5 (e.g. See > Presto's SpnegoFilter class: > https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/server/security/SpnegoFilter.java#L113-L114). > Best as I can tell, this is a limitation in Jetty to only allow the SPNEGO > OID and not both. > We were able to observe that this wasn't a problem with the "stock" Avatica > client that uses commons-httpclient because it sends both the kerberos v5 OID > and spnego OID (each with data, of course). > We need to add a workaround to Avatica while we get this upstream in Jetty. -- This message was sent by Atlassian JIRA (v6.4.14#64029)