calcite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CALCITE-1922) Work around Jetty issue where Kerberos v5 OID is disallowed for SPNEGO authentication
Date Thu, 03 Aug 2017 21:30:00 GMT
Josh Elser created CALCITE-1922:
-----------------------------------

             Summary: Work around Jetty issue where Kerberos v5 OID is disallowed for SPNEGO
authentication
                 Key: CALCITE-1922
                 URL: https://issues.apache.org/jira/browse/CALCITE-1922
             Project: Calcite
          Issue Type: Bug
          Components: avatica
            Reporter: Josh Elser
            Assignee: Josh Elser
             Fix For: avatica-1.11.0


This appears to be another Jetty bug around SPNEGO. Huge thank you to [~kishore1729] for his
help in debugging this issue. I could not have done it without his help.

Deploying the Avatica server behind a reverse-proxy, we observed that the server would deny
the authentication requests from the client (whereas the client talking directly to Avatica
was successful). Pardon the Phoenix classes instead of Avatica itself:

{noformat}
2017-08-03 19:09:29,440 WARN org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
        at sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:137)
        at org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
        at org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
        at org.apache.calcite.avatica.server.AvaticaSpnegoAuthenticator.validateRequest(AvaticaSpnegoAuthenticator.java:43)
        at org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
        at org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
        at org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
        at org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:748)
2017-08-03 19:09:29,441 DEBUG org.apache.calcite.avatica.server.AvaticaJsonHandler: HTTP request
from 10.0.0.63 is unauthenticated and authentication is required
{noformat}

Investigating this further, we found that Jetty's SpnegoLoginService was explicitly only allowing
an OID of 1.3.6.1.5.5.2 instead of allowing both 1.3.6.1.5.5.2 for SPNEGO and 1.2.840.113554.1.2.2
for Kerberos v5 (e.g. See Presto's SpnegoFilter class: https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/server/security/SpnegoFilter.java#L113-L114).
Best as I can tell, this is a limitation in Jetty to only allow the SPNEGO OID and not both.

We were able to observe that this wasn't a problem with the "stock" Avatica client that uses
commons-httpclient because it sends both the kerberos v5 OID and spnego OID (each with data,
of course).

We need to add a workaround to Avatica while we get this upstream in Jetty.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message