Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-745

KnoxCLI system-user-auth-test and user-auth-test doesn't work with system password alias

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 0.10.0
    • Fix Version/s: 0.14.0
    • Component/s: KnoxCLI
    • Labels:
      None
    • Environment:
      centos6

      Description

      When system password alias is used instead of plain text password in Knox topology, the knoxcli system-user-auth-test and user-auth-test fails to authenticate.

      Issue can be reproduced easily by following these steps:

      Steps to reproduce:
      1. Specify these three property in topology (say sandbox.xml)

              <param>
                <name>main.ldapRealm.authorizationEnabled</name>
                <value>true</value>
              </param>
              <param>
                <name>main.ldapRealm.contextFactory.systemUsername</name>
                <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value>
              </param>
              <param>
                <name>main.ldapRealm.contextFactory.systemPassword</name>
                <value>${ALIAS=ldapsystempassword}</value>
              </param>
      

      2. Save and restart the Knox gateway service
      3. Create password alias:
      bin/knoxcli.sh create-alias ldapsystempassword --value 'admin-password' --cluster sandbox
      4. Both the below command would fail:

      bin/knoxcli.sh system-user-auth-test --cluster sandbox --d
      org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
      [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org]
      org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
             	at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:300)
             	at org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:193)
             	at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
             	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
             	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
             	at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
             	at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
             	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
             	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
             	at org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1069)
             	at org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.testSysBind(KnoxCLI.java:1171)
             	at org.apache.hadoop.gateway.util.KnoxCLI$LDAPSysBindCommand.execute(KnoxCLI.java:1478)
             	at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:138)
             	at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
             	at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1675)
             	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
             	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
             	at java.lang.reflect.Method.invoke(Method.java:606)
             	at org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
             	at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
             	at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101)
             	at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
             	at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
      Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org]
             	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3088)
             	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034)
             	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2836)
             	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2750)
             	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:317)
             	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
             	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
             	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
             	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
             	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
             	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
             	at javax.naming.InitialContext.init(InitialContext.java:242)
             	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
             	at org.apache.shiro.realm.ldap.JndiLdapContextFactory.createLdapContext(JndiLdapContextFactory.java:508)
             	at org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(JndiLdapContextFactory.java:495)
             	at org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:375)
             	at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
             	... 23 more
      Unable to successfully bind to LDAP server with topology credentials. Are your parameters correct?
      

      user-auth-test:

      bin/knoxcli.sh user-auth-test --cluster sandbox --u guest --p guest-password --d --g
      org.apache.shiro.config.ConfigurationException: Unable to set property 'contextFactory.systemPassword' with value [S{ALIAS=ldapsystempassword}] on object of type org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.  If 'S{ALIAS=ldapsystempassword}' is a reference to another (previously defined) object, prefix it with '$' to indicate that the referenced object should be used as the actual value.  For example, $S{ALIAS=ldapsystempassword}
      org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject could not be created with Shiro Config at sections=main,urls
      org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject could not be created with Shiro Config at sections=main,urls
             	at org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.getSubject(KnoxCLI.java:1242)
             	at org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1067)
             	at org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1104)
             	at org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1400)
             	at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:138)
             	at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
             	at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1675)
             	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
             	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
             	at java.lang.reflect.Method.invoke(Method.java:606)
             	at org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
             	at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
             	at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101)
             	at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
             	at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
      ERR: Unable to authenticate user: guest
      

        Activity

        Hide
        pbeauvois Pierre Beauvois added a comment -

        Any update on this case? I can reproduce with Knox 0.13.0.

        Show
        pbeauvois Pierre Beauvois added a comment - Any update on this case? I can reproduce with Knox 0.13.0.
        Hide
        vrathor-hw Vipin Rathor added a comment -

        I've been working on patch for this issue. Root cause is : knoxcli doesn't use the ALIAS_SERVICE to translate the alias into the password. By following the implementation of KnoxLdapContextFactory::setSystemPassword(), I was able to work out the fix for system-user-auth-test. The user-auth-test is bit tricky.

        Though the fix would be straight forward but there are multiple issues with the existing system-user-auth-test and user-auth-test implementation. I'm seeking suggestion on how should I go about these:
        1. The system-user-auth-test doesn't make use of topology config to get the complete shiro.ini. Instead it just creates a bare minimum shiro.ini and tries to authenticate the system user. There is no provision to handle the system password alias.
        2. The user-auth-test uses the topology config and correct shiro.ini. The call to KnoxLdapContextFactory::setSystemPassword() fails silently with NullPointerException due to GatewayServer.getGatewayServices() returning null. Later the getSubject() call fails while setting the contextFactory.systemPassword in the configuration.

        My questions are:
        1. The system-user-auth-test can replicate what KnoxLdapContextFactory::setSystemPassword() is doing by using the CLIGatewayServices(). Would that be a right thing to do?
        2. For user-auth-test, how could the GatewayServer.getGatewayServices() return the available services if they are not initialized?

        IMO both system-user-auth-test and user-auth-test should be able to translate password alias by using KnoxLdapContextFactory::setSystemPassword() and without having to follow any shortcut.

        Opinion / suggestions?

        Show
        vrathor-hw Vipin Rathor added a comment - I've been working on patch for this issue. Root cause is : knoxcli doesn't use the ALIAS_SERVICE to translate the alias into the password. By following the implementation of KnoxLdapContextFactory::setSystemPassword(), I was able to work out the fix for system-user-auth-test. The user-auth-test is bit tricky. Though the fix would be straight forward but there are multiple issues with the existing system-user-auth-test and user-auth-test implementation. I'm seeking suggestion on how should I go about these: 1. The system-user-auth-test doesn't make use of topology config to get the complete shiro.ini. Instead it just creates a bare minimum shiro.ini and tries to authenticate the system user. There is no provision to handle the system password alias. 2. The user-auth-test uses the topology config and correct shiro.ini. The call to KnoxLdapContextFactory::setSystemPassword() fails silently with NullPointerException due to GatewayServer.getGatewayServices() returning null. Later the getSubject() call fails while setting the contextFactory.systemPassword in the configuration. My questions are: 1. The system-user-auth-test can replicate what KnoxLdapContextFactory::setSystemPassword() is doing by using the CLIGatewayServices(). Would that be a right thing to do? 2. For user-auth-test, how could the GatewayServer.getGatewayServices() return the available services if they are not initialized? IMO both system-user-auth-test and user-auth-test should be able to translate password alias by using KnoxLdapContextFactory::setSystemPassword() and without having to follow any shortcut. Opinion / suggestions?

          People

          • Assignee:
            Unassigned
            Reporter:
            vrathor-hw Vipin Rathor
          • Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:

              Development