Hi Larry,
We wanted to use federation authentication. So i went ahead and commented
out the shiro provider and just enabled the site minder that was provided
by my security team.
<provider>
<role>federation</role>
<name>SiteMinder Identity Asserter</name>
<enabled>true</enabled>
</provider>
Following is the response from our team :
---
So we don't use Header authentication here, we use Siteminder session
validation, ie, when you log into Siteminder, a session cookie is set
(called SMSESSION). This Federation provider will take that cookie and
validate that it is a valid session. This is exactly what Larry describes
as a Federation provider.
---
I am still receiving the error
2016-06-03 12:43:47,685 ERROR hadoop.gateway
(GatewayServlet.java:service(126)) - Gateway processing failed:
javax.servlet.ServletException: java.lang.RuntimeException:
java.lang.RuntimeException: PL00017: Configuration File missing:null
javax.servlet.ServletException: java.lang.RuntimeException:
java.lang.RuntimeException: PL00017: Configuration File missing:null
at
org.apache.hadoop.gateway.GatewayFilter$Holder.getInstance(GatewayFilter.java:347)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:314)
at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:215)
Appologies if these are very basic mistakes.
Thanks
Prasad
From: larry mccay <[email protected]>
To: [email protected]
Date: 06/01/2016 04:31 PM
Subject: Re: KNOX SSO issues
This email originated from outside of the company. Please use discretion
if opening attachments or clicking on links.
Hi Prasad -
Let's step back so that some foundational things are more clear...
Authentication and Federation providers are two of the same sort of
provider. The distinction really has remained in behavior rather than
anything else but I wanted to keep them separate in case they diverged at
some point. Essentially, authentication providers enable Knox to collect
credentials from the user for the purpose of authentication whereas
Federation providers somehow validate/verify an authentication event that
has already occurred.
They are at the moment mutually exclusive.
Identity assertion providers are used to determine the identity to be
propagated to the Hadoop services via dispatch. These providers are
related to authentication and federation providers but are not the same
thing. An authenticated user identity may be mapped to another identity to
be used inside the cluster with identity assertion providers. They may
also add groups to the security context for the effective identity based
on provider specific semantics and functionality.
Now, back to your topology...
You appear to have implemented a siteminder federation provider but have
it configured along with the Shiro provider. I believe the second one is
going to win and may be the source of your problem but not entirely sure.
The other thing that I wonder is whether you mean to call it a siteminder
identity assertion provider because you want to propagate the identity to
a backend service via Knox in a SM_USER header. This might be a valid
extension for Knox but would likely require a SMDispatch provider instead
of identity assertion provider.
If what you want to do is accept an SM_USER and/or SM_GROUPS header as a
federation provider then you should look at the HeaderPreAuth federation
provider [1] which does exactly that.
Hope this is helpful.
--larry
1.
http://knox.apache.org/books/knox-0-9-0/user-guide.html#Preauthenticated+SSO+Provider
On Wed, Jun 1, 2016 at 5:18 PM, Prasad R. Nuamatha <[email protected]>
wrote:
We have used the following document and my security team was able to
create the identity asserter for site minder for federated authentication.
https://cwiki.apache.org/confluence/display/KNOX/2015/12/18/Adding+a+Federation+Provider+to+Apache+Knox
When I am trying to use it I get the following error where it complains
the configuration file missing. I have atttached the configuration file,
if someone could please let me know where i am going wrong it will be
greatly helpful.
2016-06-01 15:00:59,454 ERROR hadoop.gateway
(GatewayServlet.java:service(126)) - Gateway processing failed:
javax.servlet.ServletException:
org.apache.shiro.subject.ExecutionException:
java.security.PrivilegedActionException: javax.servlet.ServletException:
java.lang.RuntimeException: java.lang.RuntimeException: PL00017:
Configuration File missing:null
javax.servlet.ServletException:
org.apache.shiro.subject.ExecutionException:
java.security.PrivilegedActionException: javax.servlet.ServletException:
java.lang.RuntimeException: java.lang.RuntimeException: PL00017:
Configuration File missing:null
at
org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196)
at
org.apache.shiro.web.filter.authc.AuthenticatingFilter.cleanup(AuthenticatingFilter.java:155)
My configuration file
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>cn={0},ou=***,o=**</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://***:389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>federation</role>
<name>SiteMinder Identity Asserter</name>
<enabled>true</enabled>
</provider>
**
This email and any attachments may contain information that is
confidential and/or privileged for the sole use of the intended recipient.
Any use, review, disclosure, copying, distribution or reliance by others,
and any forwarding of this email or its contents, without the express
permission of the sender is strictly prohibited by law. If you are not the
intended recipient, please contact the sender immediately, delete the
e-mail and destroy all copies.
**
**
This email and any attachments may contain information that is confidential
and/or privileged for the sole use of the intended recipient. Any use, review,
disclosure, copying, distribution or reliance by others, and any forwarding of
this email or its contents, without the express permission of the sender is
strictly prohibited by law. If you are not the intended recipient, please
contact the sender immediately, delete the e-mail and destroy all copies.
**
