[ https://issues.apache.org/jira/browse/KYLIN-2589?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Billy Liu updated KYLIN-2589: ----------------------------- Summary: Enhance thread-safe in Authentication (was: Errors in WebUI Authentication) > Enhance thread-safe in Authentication > ------------------------------------- > > Key: KYLIN-2589 > URL: https://issues.apache.org/jira/browse/KYLIN-2589 > Project: Kylin > Issue Type: Bug > Components: General > Affects Versions: v2.0.0 > Environment: EMR > Reporter: Young Wu > Assignee: Shaofeng SHI > Fix For: v2.1.0 > > Attachments: 2921494001551_.pic_hd.jpg, > KYLIN-2589-MessageDigest-is-not-thread-safe.patch, Screenshot 2017-05-06 > 12.29.34.png > > > There seems bugs exist in the webserver's authentication part in kylin. After > kylin run several hours, user will failed login with username/password. The > error reported in the log is "Encoded password cannot be null or empty". > Details: > {code} > May 02, 2017 2:15:59 PM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet [kylin] in context with path [/kylin] > threw exception > java.lang.IllegalArgumentException: Encoded password cannot be null or empty > at > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.matches(BCryptPasswordEncoder.java:77) > at > org.springframework.security.authentication.dao.DaoAuthenticationProvider$1.isPasswordValid(DaoAuthenticationProvider.java:124) > at > org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:64) > at > org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:149) > at > org.apache.kylin.rest.security.KylinAuthenticationProvider.authenticate(KylinAuthenticationProvider.java:85) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209) > at > com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > {code} > The only solution is restart kylin timely. Restart can suppress this issue > several hours and then suddenly error comes back again. ISSUE detail is also > here: > http://apache-kylin.74782.x6.nabble.com/Re-Encoded-password-cannot-be-null-or-empty-when-login-into-kylin-s-web-UI-td7879.html#a7887 > It is not due to upgrade from 2.0.0-BETA to 2.0.0 since I've already cleaned > up all the info in hbase and spun up a brand new kylin-2.0.0, but the issue > is still there. > (Edited: This issue is solved by updating kylin 2.0.0 with commit hash > 375fd807c281d8c5deff0620747c806be2019782) > Another bug looks like also relates to authentication. It happens on kylin > query server when kylin is on a heavy load of query requests. With our 60QPS, > this issue has an appearance of 8 per hour. Details: > {code} > May 05, 2017 7:12:01 AM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet [kylin] in context with path [/kylin] > threw exception > java.lang.ArrayIndexOutOfBoundsException > at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:114) > at sun.security.provider.MD5.implDigest(MD5.java:101) > at sun.security.provider.DigestBase.engineDigest(DigestBase.java:181) > at sun.security.provider.DigestBase.engineDigest(DigestBase.java:160) > at > java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java:592) > at java.security.MessageDigest.digest(MessageDigest.java:365) > at java.security.MessageDigest.digest(MessageDigest.java:411) > at > org.apache.kylin.rest.security.KylinAuthenticationProvider.authenticate(KylinAuthenticationProvider.java:76) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209) > at > com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)