knox-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miguel Revetria (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KNOX-1853) Can't perform path-based authentication using ShiroProvider
Date Fri, 12 Apr 2019 20:44:00 GMT

    [ https://issues.apache.org/jira/browse/KNOX-1853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16816632#comment-16816632
] 

Miguel Revetria commented on KNOX-1853:
---------------------------------------

I'm wondering if at that point (where the exception is thrown) we can trust that `Shiro` has
validated the request, ie: authenticated the user if the url's path was configured to use
`authcBasic`. If so, I guess `ShiroProvider` can continue processing the request instead of
crashing.

I've tried this approach locally and i [^patch.patch] t seems to work: I can navigate through
Hadoop UI anonymously and then when tried to load a secured path (eg: `/jobhistory/conf/job_1555073080493_0014`)
basic authentication is requested.

 I'm attaching a patch with the changes. 

> Can't perform path-based authentication using ShiroProvider
> -----------------------------------------------------------
>
>                 Key: KNOX-1853
>                 URL: https://issues.apache.org/jira/browse/KNOX-1853
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 1.2.0
>         Environment: Ubuntu 18.04
> Hadoop 2.8.5
> Knox 1.2.0
>            Reporter: Miguel Revetria
>            Priority: Major
>         Attachments: patch.patch
>
>
> `ShiroSubjectIdentityAdapter` is throwing `IllegalStateException` when `ShiroProvider`
is configured to request authentication for some paths but not all of them and the first request
is done to an unauthenticated paths.
>  
> *Topology configuration:*
>  
> ```
> <topology>
>   <gateway>
>     <provider>
>       <role>authentication</role>
>       <name>ShiroProvider</name>
>       <enabled>true</enabled>
>       <param>
>         <name>sessionTimeout</name>
>         <value>1</value>
>       </param>
>       <param name="users.admin" value="admin-secret" />
>       <param>
>         <name>urls./jobhistory/conf/**</name>
>         <value>authcBasic</value>
>       </param>
>     </provider>
>     <provider>
>       <role>hostmap</role>
>       <name>static</name>
>       <enabled>true</enabled>
>       <param>
>         <name>localhost</name>
>         <value>sandbox,sandbox.hortonworks.com</value>
>       </param>
>     </provider>
>   </gateway>
>   <service>
>     <role>RESOURCEMANAGER</role>
>     <url>http://localhost:8088/ws</url>
>   </service>
>   <service>
>     <role>YARNUI</role>
>     <url>http://localhost:8088</url>
>   </service>
>   <service>
>     <role>NODEUI</role>
>     <url>http://localhost:8042</url>
>   </service>
>   <service>
>     <role>JOBHISTORYUI</role>
>     <url>http://localhost:19888</url>
>   </service>
> </topology>
> ```
>  
> Using previous configuration, next curl is returning a 500 error
> ```
> $ curl -Ik -X GET 'https://localhost:8443/gateway/sandbox/yarn'
> HTTP/1.1 500 Server Error
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 343
> Connection: close
> Server: Jetty(9.4.12.v20180830)
> ```
>  
> The error logged in `gateway.log` is:
>  
> ```
> 2019-04-12 11:36:43,054 ERROR knox.gateway (GatewayServlet.java:service(147)) - Gateway
processing failed: javax.servlet.ServletException: Filtered request failed.
> javax.servlet.ServletException: Filtered request failed.
> 	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
> 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> 	at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> 	at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> 	at org.apache.knox.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:50)
> 	at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> 	at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> 	at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> 	at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
> 	at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> 	at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> 	at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> 	at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:168)
> 	at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
> 	at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:142)
> 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857)
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
> 	at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215)
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
> 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
> 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
> 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
> 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
> 	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> 	at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> 	at org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> 	at org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:150)
> 	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> 	at org.eclipse.jetty.server.Server.handle(Server.java:503)
> 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
> 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
> 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> 	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
> 	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
> 	at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
> 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> 	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
> 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
> 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
> 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
> 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
> 	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.shiro.subject.ExecutionException: java.lang.IllegalStateException:
Unable to determine authenticated user from Shiro, please check that your Knox Shiro configuration
is correct
> 	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:389)
> 	at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:72)
> 	at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:369)
> 	at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:269)
> 	at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> 	at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> 	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> 	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> 	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> 	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> 	... 59 more
> Caused by: java.lang.IllegalStateException: Unable to determine authenticated user from
Shiro, please check that your Knox Shiro configuration is correct
> 	at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:98)
> 	at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:75)
> 	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> 	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> 	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> 	... 68 more
> ```
>  
> I'm looking for a way to let anonymous users navigate through some pages at Hadoop Web
UI but restricting access to certain pages (job's configurations file) so sensitive information
is not available to everyone with access to web console, which is currently hosted in AWS
EMR and available via a VPN.
> Shiro seems to support anonymous users and path-based authentication as pointed out on
its  docs, [here|https://shiro.apache.org/web.html#Web-webini]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message