I have used kerberos rest template to access the job history server on kerberized hadoop but this code is throwing me an exception:
KerberosRestTemplate kerberosRestTemplate = new KerberosRestTemplate(properties.getProperty("userKeytabPath"),properties.getProperty("userprincipal")); System.out.println(kerberosRestTemplate.getForObject(jobhistoryurl, String.class));
Exception:
Exception in thread "main" org.springframework.web.client.RestClientException: Error running rest call; nested exception is org.springframework.web.client.HttpClientErrorException: 401 Authentication required
at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:196)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
at com.datametica.hiveconnection.hiveconnectioncheck.HivePortCheck.main(HivePortCheck.java:57)
Caused by: org.springframework.web.client.HttpClientErrorException: 401 Authentication required
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:614)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:570)
at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202)
at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67)
at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:187)
... 3 more
So is there any extra parameters that i have to pass in request headers to access kerberos secured apis?
Also before Accessing this api i have logged in a user via same user principal and keytab provided in kerberosRestTemplate Using UserGroupInformation class of hadoop security.
UserGroupInformation.loginUserFromKeytab(properties.getProperty("userprincipal"),properties.getProperty("userKeytabPath"));
I have check the current user logged in(via ugi of current user) before accessing job history and it is giving me that user is logged in and with kerberos authentication but i am still getting 401 status from job history server.
Related
I am new using AWS Cognito. I have a springboot application where I am using aws cognito as our authentication provider.
I have configured cognito and login works perfectly that return access token and id token. However when I am trying to validate that access token via cognito I am getting 400 IOException.
Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: https://cognito-idp.{region}.amazonaws.com/{poolid}/.well-known/jwks.json
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1997)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305)
at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257)
at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:305)
I think that in your URL you still have the template variables from the example you copied from (e.g. {region} and {poolid}. Those tokens need to be replaced with actual values from your cognito settings so the ultimate URL is, for example:
https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx/.well-known/jwks.json
The IOException is likely caused by the invalid URL.
I am migrating services from EI 6 to MI. These soap services are secured using username token. I have updated the policy with the new library:
<rampart:tokenStoreClass>org.wso2.micro.integrator.security.extensions.SecurityTokenStore</rampart:tokenStoreClass>
But I still get the following error when launching a request:
WARN {Loader} - org.wso2.carbon.security.util.SecurityTokenStore java.lang.ClassNotFoundException: org.wso2.carbon.security.util.SecurityTokenStore
Do I need to do some more updates in the proxy or policy, beside the described above?
Regards
Anybody already used GCP CredentialsControllerService and PublishGCPubSubLite processor from Apache Nifi?
I'm getting errors, and not found a concrete solution to Publish messages on Pub/Sub lite.
Note: GCP json keys are correct.
Caused by: com.google.api.gax.rpc.UnauthenticatedException: io.grpc.StatusRuntimeException: UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
#Yunnosch, Yeah, The solution i got is, add user_authorized key which contains the refresh token can make the connection between nifi and pubsublite.
"type": "authorized_user"
I have an access token with the necessary scope. I also successful access the resource server. The error occur when the resource server try to fetch the user Principal from the Authorization server. I really hope i can get some hints or help about how i can solve this
The access Token:
{"access_token":"65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9","token_type":"bearer","refresh_token":"f1e2a49d-5b24-4e9c-b9da-567eb47d6ab7","expires_in":149,"scope":"read write trust"}
The resource server call:
curl -H "Authorization:Bearer 65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9" http://localhost:9001/resource/hello
Resource server output after the call:
2016-10-10 10:10:06.144 INFO 411 --- [nio-9001-exec-5] o.s.b.a.s.o.r.UserInfoTokenServices : Getting user info from: http://localhost:9000/auth/user
The endpoint (localhost:9000/auth/user) get executed but i always get the following response to my curl request:
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"read"}
I resolved this by removing the user info uri from the resource server properties. Since I use a jdbc token store, the resource server can verify the authenticity of the token from the database and not relying on the auth server anymore.
I've downloaded the code from Spring's Get Started Guide - Accessing Twitter Data the https://spring.io/guides/gs/accessing-twitter/ .
I set up my credentials in application.properties and made no other changes. I run the app, and when it attempts to connect to Twitter, it fails with an exception on ConnectController line 240:
ResourceAccessException:
org.springframework.web.client.ResourceAccessException: I/O error on
POST request for "https://api.twitter.com/oauth/request_token":cannot
retry due to server authentication, in streaming mode; nested
exception is java.net.HttpRetryException: cannot retry due to server
authentication, in streaming mode
I have checked that the credentials are being read by the app. They are valid - I use them to connect with another application I've written with twitter4j, although in that case I use a Token and Token Secret in addition to the Consumer Key and Consumer Secret.
Any ideas?
Thanks
I had exactly the same issue as you : it happened because I did not set my callback URL in the twitter setting.
Just check in your twitter app settings that the callback field is set (I used the same URL as the website field).