[jira] [Commented] (CALCITE-1922) Work around Jetty issue where Kerberos v5 OID is disallowed for SPNEGO authentication

Wed, 19 Sep 2018 07:15:24 -0700 


    [ 
https://issues.apache.org/jira/browse/CALCITE-1922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16620656#comment-16620656
 ] 

Kevin Risden commented on CALCITE-1922:
---------------------------------------

There is some renewed interest in fixing this in Jetty apparently. 
[https://github.com/eclipse/jetty.project/issues/2868#issuecomment-421436035]

 

> Work around Jetty issue where Kerberos v5 OID is disallowed for SPNEGO 
> authentication
> -------------------------------------------------------------------------------------
>
>                 Key: CALCITE-1922
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1922
>             Project: Calcite
>          Issue Type: Bug
>          Components: avatica
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Major
>             Fix For: avatica-1.11.0
>
>
> This appears to be another Jetty bug around SPNEGO. Huge thank you to 
> [~kishore1729] for his help in debugging this issue. I could not have done it 
> without his help.
> Deploying the Avatica server behind a reverse-proxy, we observed that the 
> server would deny the authentication requests from the client (whereas the 
> client talking directly to Avatica was successful). Pardon the Phoenix 
> classes instead of Avatica itself:
> {noformat}
> 2017-08-03 19:09:29,440 WARN 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
> GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
>         at 
> sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600)
>         at 
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317)
>         at 
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:137)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
>         at 
> org.apache.calcite.avatica.server.AvaticaSpnegoAuthenticator.validateRequest(AvaticaSpnegoAuthenticator.java:43)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:499)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
>         at java.lang.Thread.run(Thread.java:748)
> 2017-08-03 19:09:29,441 DEBUG 
> org.apache.calcite.avatica.server.AvaticaJsonHandler: HTTP request from 
> 10.0.0.63 is unauthenticated and authentication is required
> {noformat}
> Investigating this further, we found that Jetty's SpnegoLoginService was 
> explicitly only allowing an OID of 1.3.6.1.5.5.2 instead of allowing both 
> 1.3.6.1.5.5.2 for SPNEGO and 1.2.840.113554.1.2.2 for Kerberos v5 (e.g. See 
> Presto's SpnegoFilter class: 
> https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/server/security/SpnegoFilter.java#L113-L114).
>  Best as I can tell, this is a limitation in Jetty to only allow the SPNEGO 
> OID and not both.
> We were able to observe that this wasn't a problem with the "stock" Avatica 
> client that uses commons-httpclient because it sends both the kerberos v5 OID 
> and spnego OID (each with data, of course).
> We need to add a workaround to Avatica while we get this upstream in Jetty.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to