Okay - the source lines line up in the 0.6.0 branch fine and as I suspected the RuntimeException seems to be coming from the filter which I assume is your custom one. Would you like to show me that code? Sounds like it would be a nice contribution actually but I can just take a look at it for you too.
Just follow the init() method path and see where it is throwing that exception. On Wed, Jun 8, 2016 at 6:17 PM, Prasad R. Nuamatha <[email protected]> wrote: > We are using Knox 0.6.0. Originally we were part of HDP 2.2 where knox > 0.6 ships with it and we were using LDAP features only, but for SSO we have > to had to compile our own so we continued with that source code only. > > Thanks > Prasad > > > > From: larry mccay <[email protected]> > To: [email protected] > Date: 06/08/2016 05:02 PM > > Subject: Re: KNOX SSO issues > ------------------------------ > > > > This email originated from outside of the company. Please use discretion > if opening attachments or clicking on links. > ------------------------------ > > > Hi Prasad - > > I have tried grepping the Knox code for that "Configuration File missing" > message and don't see anything. > Is that a string in your custom provider? > > Also, what version of Knox are you using? The line numbers in the stack > trace do not line up with master or 0.9.0. > > It does seem to look like it is calling the init method on the provider's > filter implementation though. > > thanks, > > --larry > > On Wed, Jun 8, 2016 at 5:33 PM, Prasad R. Nuamatha <*[email protected]* > <[email protected]>> wrote: > Any insight into the following error ? > > Thanks > Prasad > > > > From: "Prasad R. Nuamatha" <*[email protected]* <[email protected]>> > To: *[email protected]* <[email protected]> > Date: 06/03/2016 12:49 PM > > Subject: Re: KNOX SSO issues > ------------------------------ > > > > This email originated from outside of the company. Please use discretion > if opening attachments or clicking on links. > ------------------------------ > > > Hi Larry, > We wanted to use federation authentication. So i went ahead and commented > out the shiro provider and just enabled the site minder that was provided > by my security team. > > <provider> > <role>federation</role> > <name>SiteMinder Identity Asserter</name> > <enabled>true</enabled> > </provider> > > > Following is the response from our team : > --- > So we don't use Header authentication here, we use Siteminder session > validation, ie, when you log into Siteminder, a session cookie is set > (called SMSESSION). This Federation provider will take that cookie and > validate that it is a valid session. This is exactly what Larry describes > as a Federation provider. > --- > > I am still receiving the error > > 2016-06-03 12:43:47,685 ERROR hadoop.gateway > (GatewayServlet.java:service(126)) - Gateway processing failed: > javax.servlet.ServletException: java.lang.RuntimeException: > java.lang.RuntimeException: PL00017: Configuration File missing:null > javax.servlet.ServletException: java.lang.RuntimeException: > java.lang.RuntimeException: PL00017: Configuration File missing:null > at > org.apache.hadoop.gateway.GatewayFilter$Holder.getInstance(GatewayFilter.java:347) > at > org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:314) > at > org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:215) > > Appologies if these are very basic mistakes. > > Thanks > Prasad > > > > From: larry mccay <*[email protected]* <[email protected]>> > To: *[email protected]* <[email protected]> > Date: 06/01/2016 04:31 PM > Subject: Re: KNOX SSO issues > > ------------------------------ > > > > This email originated from outside of the company. Please use discretion > if opening attachments or clicking on links. > ------------------------------ > > > Hi Prasad - > > Let's step back so that some foundational things are more clear... > > Authentication and Federation providers are two of the same sort of > provider. The distinction really has remained in behavior rather than > anything else but I wanted to keep them separate in case they diverged at > some point. Essentially, authentication providers enable Knox to collect > credentials from the user for the purpose of authentication whereas > Federation providers somehow validate/verify an authentication event that > has already occurred. > > They are at the moment mutually exclusive. > > Identity assertion providers are used to determine the identity to be > propagated to the Hadoop services via dispatch. These providers are related > to authentication and federation providers but are not the same thing. An > authenticated user identity may be mapped to another identity to be used > inside the cluster with identity assertion providers. They may also add > groups to the security context for the effective identity based on provider > specific semantics and functionality. > > Now, back to your topology... > > You appear to have implemented a siteminder federation provider but have > it configured along with the Shiro provider. I believe the second one is > going to win and may be the source of your problem but not entirely sure. > > The other thing that I wonder is whether you mean to call it a siteminder > identity assertion provider because you want to propagate the identity to a > backend service via Knox in a SM_USER header. This might be a valid > extension for Knox but would likely require a SMDispatch provider instead > of identity assertion provider. > > If what you want to do is accept an SM_USER and/or SM_GROUPS header as a > federation provider then you should look at the HeaderPreAuth federation > provider [1] which does exactly that. > > Hope this is helpful. > > --larry > > 1. > *http://knox.apache.org/books/knox-0-9-0/user-guide.html#Preauthenticated+SSO+Provider* > <http://knox.apache.org/books/knox-0-9-0/user-guide.html#Preauthenticated+SSO+Provider> > > > > On Wed, Jun 1, 2016 at 5:18 PM, Prasad R. Nuamatha <*[email protected]* > <[email protected]>> wrote: > We have used the following document and my security team was able to > create the identity asserter for site minder for federated authentication. > > > *https://cwiki.apache.org/confluence/display/KNOX/2015/12/18/Adding+a+Federation+Provider+to+Apache+Knox* > <https://cwiki.apache.org/confluence/display/KNOX/2015/12/18/Adding+a+Federation+Provider+to+Apache+Knox> > > > When I am trying to use it I get the following error where it complains > the configuration file missing. I have atttached the configuration file, > if someone could please let me know where i am going wrong it will be > greatly helpful. > > > 2016-06-01 15:00:59,454 ERROR hadoop.gateway > (GatewayServlet.java:service(126)) - Gateway processing failed: > javax.servlet.ServletException: > org.apache.shiro.subject.ExecutionException: > java.security.PrivilegedActionException: javax.servlet.ServletException: > java.lang.RuntimeException: java.lang.RuntimeException: PL00017: > Configuration File missing:null > javax.servlet.ServletException: > org.apache.shiro.subject.ExecutionException: > java.security.PrivilegedActionException: javax.servlet.ServletException: > java.lang.RuntimeException: java.lang.RuntimeException: PL00017: > Configuration File missing:null > at > org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196) > at > org.apache.shiro.web.filter.authc.AuthenticatingFilter.cleanup(AuthenticatingFilter.java:155) > > My configuration file > > <topology> > > <gateway> > > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > <param> > <name>sessionTimeout</name> > <value>30</value> > </param> > <param> > <name>main.ldapRealm</name> > > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> > </param> > <param> > <name>main.ldapContextFactory</name> > > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> > </param> > <param> > <name>main.ldapRealm.contextFactory</name> > <value>$ldapContextFactory</value> > </param> > > <param> > <name>main.ldapRealm.userDnTemplate</name> > <value>cn={0},ou=***,o=**</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.url</name> > <value>ldap://***:389</value> > </param> > > <param> > > <name>main.ldapRealm.contextFactory.authenticationMechanism</name> > <value>simple</value> > </param> > > <param> > <name>urls./**</name> > <value>authcBasic</value> > </param> > > </provider> > > <provider> > <role>federation</role> > <name>SiteMinder Identity Asserter</name> > <enabled>true</enabled> > </provider> > > > > > ** > > > > This email and any attachments may contain information that is > confidential and/or privileged for the sole use of the intended recipient. > Any use, review, disclosure, copying, distribution or reliance by others, > and any forwarding of this email or its contents, without the express > permission of the sender is strictly prohibited by law. If you are not the > intended recipient, please contact the sender immediately, delete the > e-mail and destroy all copies. > > ** > > > > > ** > > > > This email and any attachments may contain information that is > confidential and/or privileged for the sole use of the intended recipient. > Any use, review, disclosure, copying, distribution or reliance by others, > and any forwarding of this email or its contents, without the express > permission of the sender is strictly prohibited by law. If you are not the > intended recipient, please contact the sender immediately, delete the > e-mail and destroy all copies. > > ** > > > > > ** > > > > This email and any attachments may contain information that is > confidential and/or privileged for the sole use of the intended recipient. > Any use, review, disclosure, copying, distribution or reliance by others, > and any forwarding of this email or its contents, without the express > permission of the sender is strictly prohibited by law. If you are not the > intended recipient, please contact the sender immediately, delete the > e-mail and destroy all copies. > > ** > > > > > ** > > > > This email and any attachments may contain information that is > confidential and/or privileged for the sole use of the intended recipient. > Any use, review, disclosure, copying, distribution or reliance by others, > and any forwarding of this email or its contents, without the express > permission of the sender is strictly prohibited by law. If you are not the > intended recipient, please contact the sender immediately, delete the > e-mail and destroy all copies. > > ** > >
