Hi Prasad - I have tried grepping the Knox code for that "Configuration File missing" message and don't see anything. Is that a string in your custom provider?
Also, what version of Knox are you using? The line numbers in the stack trace do not line up with master or 0.9.0. It does seem to look like it is calling the init method on the provider's filter implementation though. thanks, --larry On Wed, Jun 8, 2016 at 5:33 PM, Prasad R. Nuamatha <[email protected]> wrote: > Any insight into the following error ? > > Thanks > Prasad > > > > From: "Prasad R. Nuamatha" <[email protected]> > To: [email protected] > Date: 06/03/2016 12:49 PM > > Subject: Re: KNOX SSO issues > ------------------------------ > > > > This email originated from outside of the company. Please use discretion > if opening attachments or clicking on links. > ------------------------------ > > > Hi Larry, > We wanted to use federation authentication. So i went ahead and commented > out the shiro provider and just enabled the site minder that was provided > by my security team. > > <provider> > <role>federation</role> > <name>SiteMinder Identity Asserter</name> > <enabled>true</enabled> > </provider> > > > Following is the response from our team : > --- > So we don't use Header authentication here, we use Siteminder session > validation, ie, when you log into Siteminder, a session cookie is set > (called SMSESSION). This Federation provider will take that cookie and > validate that it is a valid session. This is exactly what Larry describes > as a Federation provider. > --- > > I am still receiving the error > > 2016-06-03 12:43:47,685 ERROR hadoop.gateway > (GatewayServlet.java:service(126)) - Gateway processing failed: > javax.servlet.ServletException: java.lang.RuntimeException: > java.lang.RuntimeException: PL00017: Configuration File missing:null > javax.servlet.ServletException: java.lang.RuntimeException: > java.lang.RuntimeException: PL00017: Configuration File missing:null > at > org.apache.hadoop.gateway.GatewayFilter$Holder.getInstance(GatewayFilter.java:347) > at > org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:314) > at > org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:215) > > Appologies if these are very basic mistakes. > > Thanks > Prasad > > > > From: larry mccay <[email protected]> > To: [email protected] > Date: 06/01/2016 04:31 PM > Subject: Re: KNOX SSO issues > ------------------------------ > > > > This email originated from outside of the company. Please use discretion > if opening attachments or clicking on links. > ------------------------------ > > > Hi Prasad - > > Let's step back so that some foundational things are more clear... > > Authentication and Federation providers are two of the same sort of > provider. The distinction really has remained in behavior rather than > anything else but I wanted to keep them separate in case they diverged at > some point. Essentially, authentication providers enable Knox to collect > credentials from the user for the purpose of authentication whereas > Federation providers somehow validate/verify an authentication event that > has already occurred. > > They are at the moment mutually exclusive. > > Identity assertion providers are used to determine the identity to be > propagated to the Hadoop services via dispatch. These providers are related > to authentication and federation providers but are not the same thing. An > authenticated user identity may be mapped to another identity to be used > inside the cluster with identity assertion providers. They may also add > groups to the security context for the effective identity based on provider > specific semantics and functionality. > > Now, back to your topology... > > You appear to have implemented a siteminder federation provider but have > it configured along with the Shiro provider. I believe the second one is > going to win and may be the source of your problem but not entirely sure. > > The other thing that I wonder is whether you mean to call it a siteminder > identity assertion provider because you want to propagate the identity to a > backend service via Knox in a SM_USER header. This might be a valid > extension for Knox but would likely require a SMDispatch provider instead > of identity assertion provider. > > If what you want to do is accept an SM_USER and/or SM_GROUPS header as a > federation provider then you should look at the HeaderPreAuth federation > provider [1] which does exactly that. > > Hope this is helpful. > > --larry > > 1. > *http://knox.apache.org/books/knox-0-9-0/user-guide.html#Preauthenticated+SSO+Provider* > <http://knox.apache.org/books/knox-0-9-0/user-guide.html#Preauthenticated+SSO+Provider> > > > > On Wed, Jun 1, 2016 at 5:18 PM, Prasad R. Nuamatha <*[email protected]* > <[email protected]>> wrote: > We have used the following document and my security team was able to > create the identity asserter for site minder for federated authentication. > > > *https://cwiki.apache.org/confluence/display/KNOX/2015/12/18/Adding+a+Federation+Provider+to+Apache+Knox* > <https://cwiki.apache.org/confluence/display/KNOX/2015/12/18/Adding+a+Federation+Provider+to+Apache+Knox> > > > When I am trying to use it I get the following error where it complains > the configuration file missing. I have atttached the configuration file, > if someone could please let me know where i am going wrong it will be > greatly helpful. > > > 2016-06-01 15:00:59,454 ERROR hadoop.gateway > (GatewayServlet.java:service(126)) - Gateway processing failed: > javax.servlet.ServletException: > org.apache.shiro.subject.ExecutionException: > java.security.PrivilegedActionException: javax.servlet.ServletException: > java.lang.RuntimeException: java.lang.RuntimeException: PL00017: > Configuration File missing:null > javax.servlet.ServletException: > org.apache.shiro.subject.ExecutionException: > java.security.PrivilegedActionException: javax.servlet.ServletException: > java.lang.RuntimeException: java.lang.RuntimeException: PL00017: > Configuration File missing:null > at > org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196) > at > org.apache.shiro.web.filter.authc.AuthenticatingFilter.cleanup(AuthenticatingFilter.java:155) > > My configuration file > > <topology> > > <gateway> > > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > <param> > <name>sessionTimeout</name> > <value>30</value> > </param> > <param> > <name>main.ldapRealm</name> > > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> > </param> > <param> > <name>main.ldapContextFactory</name> > > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> > </param> > <param> > <name>main.ldapRealm.contextFactory</name> > <value>$ldapContextFactory</value> > </param> > > <param> > <name>main.ldapRealm.userDnTemplate</name> > <value>cn={0},ou=***,o=**</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.url</name> > <value>ldap://***:389</value> > </param> > > <param> > > <name>main.ldapRealm.contextFactory.authenticationMechanism</name> > <value>simple</value> > </param> > > <param> > <name>urls./**</name> > <value>authcBasic</value> > </param> > > </provider> > > <provider> > <role>federation</role> > <name>SiteMinder Identity Asserter</name> > <enabled>true</enabled> > </provider> > > > > > ** > > > > This email and any attachments may contain information that is > confidential and/or privileged for the sole use of the intended recipient. > Any use, review, disclosure, copying, distribution or reliance by others, > and any forwarding of this email or its contents, without the express > permission of the sender is strictly prohibited by law. If you are not the > intended recipient, please contact the sender immediately, delete the > e-mail and destroy all copies. > > ** > > > > > ** > > > > This email and any attachments may contain information that is > confidential and/or privileged for the sole use of the intended recipient. > Any use, review, disclosure, copying, distribution or reliance by others, > and any forwarding of this email or its contents, without the express > permission of the sender is strictly prohibited by law. If you are not the > intended recipient, please contact the sender immediately, delete the > e-mail and destroy all copies. > > ** > > > > > ** > > > > This email and any attachments may contain information that is > confidential and/or privileged for the sole use of the intended recipient. > Any use, review, disclosure, copying, distribution or reliance by others, > and any forwarding of this email or its contents, without the express > permission of the sender is strictly prohibited by law. If you are not the > intended recipient, please contact the sender immediately, delete the > e-mail and destroy all copies. > > ** > >
