Any insight into the following error ? Thanks Prasad
From: "Prasad R. Nuamatha" <[email protected]> To: [email protected] Date: 06/03/2016 12:49 PM Subject: Re: KNOX SSO issues This email originated from outside of the company. Please use discretion if opening attachments or clicking on links. Hi Larry, We wanted to use federation authentication. So i went ahead and commented out the shiro provider and just enabled the site minder that was provided by my security team. <provider> <role>federation</role> <name>SiteMinder Identity Asserter</name> <enabled>true</enabled> </provider> Following is the response from our team : --- So we don't use Header authentication here, we use Siteminder session validation, ie, when you log into Siteminder, a session cookie is set (called SMSESSION). This Federation provider will take that cookie and validate that it is a valid session. This is exactly what Larry describes as a Federation provider. --- I am still receiving the error 2016-06-03 12:43:47,685 ERROR hadoop.gateway (GatewayServlet.java:service(126)) - Gateway processing failed: javax.servlet.ServletException: java.lang.RuntimeException: java.lang.RuntimeException: PL00017: Configuration File missing:null javax.servlet.ServletException: java.lang.RuntimeException: java.lang.RuntimeException: PL00017: Configuration File missing:null at org.apache.hadoop.gateway.GatewayFilter$Holder.getInstance(GatewayFilter.java:347) at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:314) at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:215) Appologies if these are very basic mistakes. Thanks Prasad From: larry mccay <[email protected]> To: [email protected] Date: 06/01/2016 04:31 PM Subject: Re: KNOX SSO issues This email originated from outside of the company. Please use discretion if opening attachments or clicking on links. Hi Prasad - Let's step back so that some foundational things are more clear... Authentication and Federation providers are two of the same sort of provider. The distinction really has remained in behavior rather than anything else but I wanted to keep them separate in case they diverged at some point. Essentially, authentication providers enable Knox to collect credentials from the user for the purpose of authentication whereas Federation providers somehow validate/verify an authentication event that has already occurred. They are at the moment mutually exclusive. Identity assertion providers are used to determine the identity to be propagated to the Hadoop services via dispatch. These providers are related to authentication and federation providers but are not the same thing. An authenticated user identity may be mapped to another identity to be used inside the cluster with identity assertion providers. They may also add groups to the security context for the effective identity based on provider specific semantics and functionality. Now, back to your topology... You appear to have implemented a siteminder federation provider but have it configured along with the Shiro provider. I believe the second one is going to win and may be the source of your problem but not entirely sure. The other thing that I wonder is whether you mean to call it a siteminder identity assertion provider because you want to propagate the identity to a backend service via Knox in a SM_USER header. This might be a valid extension for Knox but would likely require a SMDispatch provider instead of identity assertion provider. If what you want to do is accept an SM_USER and/or SM_GROUPS header as a federation provider then you should look at the HeaderPreAuth federation provider [1] which does exactly that. Hope this is helpful. --larry 1. http://knox.apache.org/books/knox-0-9-0/user-guide.html#Preauthenticated+SSO+Provider On Wed, Jun 1, 2016 at 5:18 PM, Prasad R. Nuamatha <[email protected]> wrote: We have used the following document and my security team was able to create the identity asserter for site minder for federated authentication. https://cwiki.apache.org/confluence/display/KNOX/2015/12/18/Adding+a+Federation+Provider+to+Apache+Knox When I am trying to use it I get the following error where it complains the configuration file missing. I have atttached the configuration file, if someone could please let me know where i am going wrong it will be greatly helpful. 2016-06-01 15:00:59,454 ERROR hadoop.gateway (GatewayServlet.java:service(126)) - Gateway processing failed: javax.servlet.ServletException: org.apache.shiro.subject.ExecutionException: java.security.PrivilegedActionException: javax.servlet.ServletException: java.lang.RuntimeException: java.lang.RuntimeException: PL00017: Configuration File missing:null javax.servlet.ServletException: org.apache.shiro.subject.ExecutionException: java.security.PrivilegedActionException: javax.servlet.ServletException: java.lang.RuntimeException: java.lang.RuntimeException: PL00017: Configuration File missing:null at org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196) at org.apache.shiro.web.filter.authc.AuthenticatingFilter.cleanup(AuthenticatingFilter.java:155) My configuration file <topology> <gateway> <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> <name>sessionTimeout</name> <value>30</value> </param> <param> <name>main.ldapRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapContextFactory</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> </param> <param> <name>main.ldapRealm.contextFactory</name> <value>$ldapContextFactory</value> </param> <param> <name>main.ldapRealm.userDnTemplate</name> <value>cn={0},ou=***,o=**</value> </param> <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://***:389</value> </param> <param> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> <value>simple</value> </param> <param> <name>urls./**</name> <value>authcBasic</value> </param> </provider> <provider> <role>federation</role> <name>SiteMinder Identity Asserter</name> <enabled>true</enabled> </provider> ** This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies. ** ** This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies. ** ** This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies. **
