Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2427

[Kerberos] Authentication failure for the javascript resources under /ext-2.2

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.2.0
    • Fix Version/s: 5.1.0
    • Component/s: security
    • Labels:
      None

      Description

      With the kerberos authentication enabled, failed to load Oozie console due to the authentication failure of the javascript resource under /ext-2.2. Go back the Oozie log, the following error messages found:

      21 05:50:42,771 DEBUG AuthenticationFilter:529 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] user [knox] authenticated
      2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
      2015-12-21 05:50:42,772 DEBUG AuthenticationFilter:517 - SERVER[**] Request [http://**:11000/oozie/ext-2.2/examples/grid/RowExpander.js?doAs=sam] triggering authentication
      2015-12-21 05:50:42,774 DEBUG AuthenticationFilter:564 - SERVER[**] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
      org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
          at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398)
          at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)  
      

      Based on the analysis, the issue should related to is related to the jira HADOOP-8830: org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors.

      1. Current oozie leverages Hadoop for the authentication.
      2. Based on the resouce difference, it defines the filter for the authentication, but for some resources such as some js under ext-2.2, they are always authenticated twice, the reason is beacuse oozie has the following filter definition:
        <filter-mapping>
            <filter-name>authenticationfilter</filter-name>
            <url-pattern>*.js</url-pattern>
        </filter-mapping>
        <filter-mapping>
            <filter-name>authenticationfilter</filter-name>
            <url-pattern>/ext-2.2/*</url-pattern>
        </filter-mapping>
        

        With the issue in HADOOP-8830, the final authentication is failure, so we finally get the error 403 in browser(which directly causes the console disabled).

      3. For 2), it just hit the issue in Jira HADOOP-8830, if the oozie's debug mode is enabled, logs clearly show that.

        Attachments

        1. OOZIE-2427.patch
          0.5 kB
          Gao Zhong Liang

          Activity

            People

            • Assignee:
              lianggz Gao Zhong Liang
              Reporter:
              lianggz Gao Zhong Liang
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: