Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Fail to access spnego enabled service

Fail to access spnego enabled service

Expert Contributor

I have a service which is spnego enabled service. And I want to access this service using rest api.

But I got the following exception in the client side.

16/03/08 02:19:37 DEBUG client.KerberosAuthenticator: Using fallback authenticator sequence.
org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, status: 405, message: Method Not Allowed
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:274)
at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:214)
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215)
at WhoClient.main(WhoClient.java:19)
ERROR: Authentication failed, status: 405, message: Method Not Allowed

And here's exception in server side which indicate that the authentication is successful. I don't know why the server side says the auentication is successful but the client still fails.

16/03/08 02:19:37 DEBUG AuthenticationFilter: Request [http://sandbox.hortonworks.com:8998/sessions] triggering authentication
16/03/08 02:19:37 DEBUG AuthenticationFilter: Request [http://sandbox.hortonworks.com:8998/sessions] triggering authentication
16/03/08 02:19:37 DEBUG AuthenticationFilter: Request [http://sandbox.hortonworks.com:8998/sessions] user [livy] authenticated
16/03/08 02:19:37 DEBUG AuthenticationFilter: Request [http://sandbox.hortonworks.com:8998/sessions?user.name=root] triggering authentication
16/03/08 02:19:37 DEBUG AuthenticationFilter: Request [http://sandbox.hortonworks.com:8998/sessions?user.name=root] triggering authentication
16/03/08 02:19:37 DEBUG AuthenticationFilter: Request [http://sandbox.hortonworks.com:8998/sessions?user.name=root] user [livy] authenticated
5 REPLIES 5
Highlighted

Re: Fail to access spnego enabled service

@jzhang Can you please provide some more details about which service you are using and what was your exact URL for accessing service ?

Highlighted

Re: Fail to access spnego enabled service

Expert Contributor

@Shishir Saxena It is livy which is not standard HDP component. But it also use AuthenticationFilter, do you think it would be server side issue ?

Highlighted

Re: Fail to access spnego enabled service

I don't see anything in the hadoop-auth code that would result in an HTTP 405 Method Not Allowed. What HTTP method are you attempting. Seems like the request is making it past the Hadoop AuthenticationFilter and then failing after that.

Highlighted

Re: Fail to access spnego enabled service

Expert Contributor

I think the server side is configured correctly, here's code of server side which use embedded jetty

val holder = new FilterHolder(new AuthenticationFilter())
holder.setInitParameter(AuthenticationFilter.AUTH_TYPE, authType)
holder.setInitParameter(KerberosAuthenticationHandler.PRINCIPAL, principal)
holder.setInitParameter(KerberosAuthenticationHandler.KEYTAB, keytab)
holder.setInitParameter(KerberosAuthenticationHandler.NAME_RULES,
  livyConf.get(KERBEROS_NAME_RULES))
server.context.addFilter(holder, "/*", EnumSet.allOf(classOf[DispatcherType]))
Highlighted

Re: Fail to access spnego enabled service

What I think is happening is that the auth code is sending an OPTIONS request ... its what's done as its the low-cost, ready only call. A lot of jetty servlets/endpoints forbid OPTIONS as "good hygiene" —nobody normally uses it, so to check a box on "REST API security" it's turned off.

Don't have an account?
Coming from Hortonworks? Activate your account here