[jira] [Commented] (OOZIE-2427) With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2
[ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16447494#comment-16447494 ] Kevin Risden commented on OOZIE-2427: - The patch from this issue fixed the exact same error message about "Request is a replay". Our Kerberos authentication is backed by Active Directory and we are on Oozie 4.2.0. > With Kerberos enabled, the authentication failure for the javascript > resources under /ext-2.2 > -- > > Key: OOZIE-2427 > URL: https://issues.apache.org/jira/browse/OOZIE-2427 > Project: Oozie > Issue Type: Bug > Components: security >Affects Versions: 4.2.0 >Reporter: Gao Zhong Liang >Priority: Major > Fix For: trunk > > Attachments: OOZIE-2427.patch > > > With the kerberos authentication enabled, failed to load Oozie console due to > the authentication failure of the javascript resource under /ext-2.2. Go back > the Oozie log, the following error messages found: > 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user > [knox] authenticated > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] > Authentication exception: GSSException: Failure unspecified at GSS-API level > (Mechanism level: Request is a replay (34)) > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: Failure unspecified at GSS-API level (Mechanism level: Request > is a replay (34)) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519) > > Based on the analysis, the issue should related to is related to the jira > HADOOP-8830: > org.apache.hadoop.security.authentication.server.AuthenticationFilter might > be called twice, causing kerberos replay errors > https://issues.apache.org/jira/browse/HADOOP-8830 > 1. Current oozie leverages Hadoop for the authentication. > 2. Based on the resouce difference, it defines the filter for the > authentication, but for some resources such as some js under ext-2.2, they > are always authenticated twice, the reason is beacuse oozie has the following > filter definition: > > > authenticationfilter > *.js > > > authenticationfilter > /ext-2.2/* > > With the issue in HADOOP-8830, the final authentication is failure, so we > finally get the error 403 in browser(which directly causes the console > disabled). > > 3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug > mode is enabled, logs clearly show that. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-2427) With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2
[
https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396112#comment-16396112
]
Hadoop QA commented on OOZIE-2427:
--
Testing JIRA OOZIE-2427
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
.{color:red}WARNING{color}: the current HEAD has 100 Javadoc warning(s)
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1{color} There are no new bugs found in total.
. {color:green}+1{color} There are no new bugs found in [examples].
. {color:green}+1{color} There are no new bugs found in [core].
. {color:green}+1{color} There are no new bugs found in [sharelib/distcp].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive].
. {color:green}+1{color} There are no new bugs found in [sharelib/pig].
. {color:green}+1{color} There are no new bugs found in [sharelib/spark].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive2].
. {color:green}+1{color} There are no new bugs found in [sharelib/hcatalog].
. {color:green}+1{color} There are no new bugs found in [sharelib/sqoop].
. {color:green}+1{color} There are no new bugs found in [sharelib/oozie].
. {color:green}+1{color} There are no new bugs found in [sharelib/streaming].
. {color:green}+1{color} There are no new bugs found in [webapp].
. {color:green}+1{color} There are no new bugs found in [tools].
. {color:green}+1{color} There are no new bugs found in [docs].
. {color:green}+1{color} There are no new bugs found in [server].
. {color:green}+1{color} There are no new bugs found in [client].
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
.Tests run: 2092
.Tests failed: 17
.Tests errors: 12
.The patch failed the following testcases:
testCoordActionRecoveryServiceForWaitingRegisterPartition(org.apache.oozie.service.TestRecoveryService)
testCoordinatorActionSelectors(org.apache.oozie.jms.TestJMSJobEventListener)
testCoordinatorActionSelectorsNegative(org.apache.oozie.jms.TestJMSJobEventListener)
testWorkflowJobSelectors(org.apache.oozie.jms.TestJMSJobEventListener)
testOnCoordinatorJobSuccessEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testOnWorkflowJobSuspendEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testWorkflowJobSelectorsAnd(org.apache.oozie.jms.TestJMSJobEventListener)
testOnCoordinatorJobFailureEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testConnectionDrop(org.apache.oozie.jms.TestJMSJobEventListener)
testWorkflowJobSelectorsNegative(org.apache.oozie.jms.TestJMSJobEventListener)
testWorkflowJobSelectorsOr(org.apache.oozie.jms.TestJMSJobEventListener)
testOnWorkflowJobSuccessEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testOnCoordinatorActionWaitingEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testOnWorkflowJobFailureEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testOnCoordinatorActionStartEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testOnWorkflowJobStartedEvent(org.apache.oozie.jms.TestJMSJobEventListener)
testPartitionDependency(org.apache.oozie.service.TestPartitionDependencyManagerService)
.Tests failing with errors:
testOnSLADurationMetEvent(org.apache.oozie.jms.TestJMSSLAEventListener)
testOnSLAStartMetEvent(org.apache.oozie.jms.TestJMSSLAEventListener)
testSLAJobSelectorsNegative(org.apache.oozie.jms.TestJMSSLAEventListener)
testOnSLAEndMetEvent(org.apache.oozie.jms.TestJMSSLAEventListener)
testOnSLAStartMissEvent(org.apache.oozie.jms.TestJMSSLAEventListener)
testSLAJobSelectors(org.apache.oozie.jms.TestJMSSLAEventListener)
testOnSLAEndMissEvent(org.apache.oozie.jms.TestJMSSLAEventListener)
testOnSLADurationMissEvent(org.apache.oozie.jms.TestJMSSLAEventListener)
testDropEventTypeMessage(org.apache.oozie.jms.TestHCatMessageHandler)
testCacheUpdateByMessage(org.apache.oozie.jms.TestHCatMessageHandler)
testThreadLocalSession(org.apache.oozie.jms.TestDefaultConnectionContext)
[jira] [Commented] (OOZIE-2427) With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2
[ https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395814#comment-16395814 ] Hadoop QA commented on OOZIE-2427: -- PreCommit-OOZIE-Build started > With Kerberos enabled, the authentication failure for the javascript > resources under /ext-2.2 > -- > > Key: OOZIE-2427 > URL: https://issues.apache.org/jira/browse/OOZIE-2427 > Project: Oozie > Issue Type: Bug > Components: security >Affects Versions: 4.2.0 >Reporter: Gao Zhong Liang >Priority: Major > Fix For: trunk > > Attachments: OOZIE-2427.patch > > > With the kerberos authentication enabled, failed to load Oozie console due to > the authentication failure of the javascript resource under /ext-2.2. Go back > the Oozie log, the following error messages found: > 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user > [knox] authenticated > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request > [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] > triggering authentication > 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] > Authentication exception: GSSException: Failure unspecified at GSS-API level > (Mechanism level: Request is a replay (34)) > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: Failure unspecified at GSS-API level (Mechanism level: Request > is a replay (34)) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519) > > Based on the analysis, the issue should related to is related to the jira > HADOOP-8830: > org.apache.hadoop.security.authentication.server.AuthenticationFilter might > be called twice, causing kerberos replay errors > https://issues.apache.org/jira/browse/HADOOP-8830 > 1. Current oozie leverages Hadoop for the authentication. > 2. Based on the resouce difference, it defines the filter for the > authentication, but for some resources such as some js under ext-2.2, they > are always authenticated twice, the reason is beacuse oozie has the following > filter definition: > > > authenticationfilter > *.js > > > authenticationfilter > /ext-2.2/* > > With the issue in HADOOP-8830, the final authentication is failure, so we > finally get the error 403 in browser(which directly causes the console > disabled). > > 3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug > mode is enabled, logs clearly show that. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-2427) With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2
[
https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15397008#comment-15397008
]
Hadoop QA commented on OOZIE-2427:
--
Testing JIRA OOZIE-2427
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
{color:red}-1 COMPILE{color}
.{color:red}-1{color} HEAD does not compile
.{color:red}-1{color} patch does not compile
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color} - patch does not compile, cannot run testcases
{color:green}+1 DISTRO{color}
.{color:green}+1{color} distro tarball builds with the patch
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/3125/
> With Kerberos enabled, the authentication failure for the javascript
> resources under /ext-2.2
> --
>
> Key: OOZIE-2427
> URL: https://issues.apache.org/jira/browse/OOZIE-2427
> Project: Oozie
> Issue Type: Bug
> Components: security
>Affects Versions: 4.2.0
>Reporter: Gao Zhong Liang
> Fix For: trunk
>
> Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to
> the authentication failure of the javascript resource under /ext-2.2. Go back
> the Oozie log, the following error messages found:
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user
> [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**]
> Authentication exception: GSSException: Failure unspecified at GSS-API level
> (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request
> is a replay (34))
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
>
> Based on the analysis, the issue should related to is related to the jira
> HADOOP-8830:
> org.apache.hadoop.security.authentication.server.AuthenticationFilter might
> be called twice, causing kerberos replay errors
> https://issues.apache.org/jira/browse/HADOOP-8830
> 1. Current oozie leverages Hadoop for the authentication.
> 2. Based on the resouce difference, it defines the filter for the
> authentication, but for some resources such as some js under ext-2.2, they
> are always authenticated twice, the reason is beacuse oozie has the following
> filter definition:
>
>
> authenticationfilter
> *.js
>
>
> authenticationfilter
> /ext-2.2/*
>
> With the issue in HADOOP-8830, the final authentication is failure, so we
> finally get the error 403 in browser(which directly causes the console
> disabled).
>
> 3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug
> mode is enabled, logs clearly show that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OOZIE-2427) With Kerberos enabled, the authentication failure for the javascript resources under /ext-2.2
[
https://issues.apache.org/jira/browse/OOZIE-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15082675#comment-15082675
]
Hadoop QA commented on OOZIE-2427:
--
Testing JIRA OOZIE-2427
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
.Tests run: 1703
.Tests failed: 6
.Tests errors: 0
.The patch failed the following testcases:
.
testBundleStatusTransitWithLock(org.apache.oozie.service.TestStatusTransitService)
.
testCoordChangeConcurrency(org.apache.oozie.command.coord.TestCoordChangeXCommand)
. testForNoDuplicates(org.apache.oozie.event.TestEventGeneration)
. testPurgeWFWithSubWF1(org.apache.oozie.command.TestPurgeXCommand)
. testPurgeXCommandFailed(org.apache.oozie.command.TestPurgeXCommand)
. testSamplers(org.apache.oozie.util.TestMetricsInstrumentation)
{color:green}+1 DISTRO{color}
.{color:green}+1{color} distro tarball builds with the patch
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/2693/
> With Kerberos enabled, the authentication failure for the javascript
> resources under /ext-2.2
> --
>
> Key: OOZIE-2427
> URL: https://issues.apache.org/jira/browse/OOZIE-2427
> Project: Oozie
> Issue Type: Bug
> Components: security
>Affects Versions: 4.2.0
>Reporter: Gao Zhong Liang
> Fix For: trunk
>
> Attachments: OOZIE-2427.patch
>
>
> With the kerberos authentication enabled, failed to load Oozie console due to
> the authentication failure of the javascript resource under /ext-2.2. Go back
> the Oozie log, the following error messages found:
> 21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user
> [knox] authenticated
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request
> [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam]
> triggering authentication
> 2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**]
> Authentication exception: GSSException: Failure unspecified at GSS-API level
> (Mechanism level: Request is a replay (34))
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request
> is a replay (34))
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
>
> Based on the analysis, the issue should related to is related to the jira
> HADOOP-8830:
> org.apache.hadoop.security.authentication.server.AuthenticationFilter might
> be called twice, causing kerberos replay errors
> https://issues.apache.org/jira/browse/HADOOP-8830
> 1. Current oozie leverages Hadoop for the authentication.
> 2. Based on the resouce difference, it defines the filter for the
> authentication, but for some resources such as some js under ext-2.2, they
> are always authenticated twice, the reason is beacuse oozie has the following
> filter definition:
>
>
> authenticationfilter
> *.js
>
>
> authenticationfilter
> /ext-2.2/*
>
> With the issue
