Develop Reference

shaded.databricks.org.apache.hadoop.fs.azure.AzureException: An exception while trying to list a directory after mounting

I am getting below exception,
shaded.databricks.org.apache.hadoop.fs.azure.AzureException: java.util.NoSuchElementException: An error occurred while enumerating the result, check the original exception for details
First I mounted the directory in dbfs like below,
dbutils.fs.mount(
source = f"wasbs://{containerName}#{storageAccount}.blob.core.windows.net/",
mount_point = "/mnt/a",
extra_configs = {f"fs.azure.sas.{containerName}.{storageAccount}.blob.core.windows.net": sasKey}
)
then I did,
dbutils.fs.ls("/mnt/a")
I see below reason,
Caused by: java.util.NoSuchElementException: An error occurred while enumerating the result, check the original exception for details.
at hadoop_azure_shaded.com.microsoft.azure.storage.core.LazySegmentedIterator.hasNext(LazySegmentedIterator.java:113)
at shaded.databricks.org.apache.hadoop.fs.azure.StorageInterfaceImpl$WrappingIterator.hasNext(StorageInterfaceImpl.java:158)
at shaded.databricks.org.apache.hadoop.fs.azure.AzureNativeFileSystemStore.listInternal(AzureNativeFileSystemStore.java:2444)
... 41 more
Caused by: hadoop_azure_shaded.com.microsoft.azure.storage.StorageException: This request is not authorized to perform this operation using this permission.
at hadoop_azure_shaded.com.microsoft.azure.storage.StorageException.translateException(StorageException.java:87)
at hadoop_azure_shaded.com.microsoft.azure.storage.core.StorageRequest.materializeException(StorageRequest.java:305)
at hadoop_azure_shaded.com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:196)
at hadoop_azure_shaded.com.microsoft.azure.storage.core.LazySegmentedIterator.hasNext(LazySegmentedIterator.java:109)
Could someone please help me on this?

This has happened due to wrong SAS key configuration which did not have all permissions for the container. The issue has been resolved after giving right SAS key with all permissions.

The real error this: "This request is not authorized to perform this operation using this permission" - the most probably cause is that you don't have "Blob Contributor" permission that is different from the "Contributor" permission that is set when you create a storage account.

wildfly 25 JSF Security

I'm fully aware that wildfly 25 has dropped legacy security realms.
So I tried to move from wildfly 20.0.1 to wildfly 25.0.1.
According to the quickstart ee-security, I did
/subsystem=elytron/policy=jacc:add(jacc-policy={})
I also I had to remove in my jboss-web.xml the value :
<security-domain>jaspitest</security-domain>
Otherwise I do get :
{
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.jaspitest"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.unit.\"unite_compte.war\".component.SocieteGestionSIXDAOImpl.CREATE is missing [jboss.security.security-domain.jaspitest]",
I also have my own IdentityStore.
When I try to access the site, the login page appears as expected. When I submit the credentials my IdentityStore is called and the validate(Credential) method returns a valid CredentialValidationResult.
Unfortunately, I do get an Exception :
17:05:14,710 WARNING [javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-3) #{loginView.submit}: java.lang.IllegalStateException: java.io.IOException: java.io.IOException: ELY01177: Authorization failed.: javax.faces.FacesException: #{loginView.submit}: java.lang.IllegalStateException: java.io.IOException: java.io.IOException: ELY01177: Authorization failed.
Caused by: java.io.IOException: ELY01177: Authorization failed.
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handleOne(JaspiAuthenticationContext.java:188)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.lambda$handle$0(JaspiAuthenticationContext.java:100)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.SecurityActions.doPrivileged(SecurityActions.java:39)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handle(JaspiAuthenticationContext.java:99)
What shall I do to make it work ?

As the quickstart says, you have to update the Wildlfy configuration as well. Specifically, you have to run the configure-elytron.cli script of the quickstart
More info: https://github.com/wildfly/quickstart/tree/main/ee-security#configure-the-server

Knox SSO integration with Keycloak error - Required Subject Missing

I am working on integrating Knox with Keycloak with OIDC, for the SSO and security functionalities in Hadoop Cluster.
I have congigured everthing, and now while accessing the Knox URL, it is redirecting to the Keycloak URL. After authenticating the user successfully in Keycloak, it redirects it to the Knox URL(which is configured).
But once it is redirecting, Getting the below error:
2020-11-11 08:13:48,098 ERROR knox.gateway (CommonIdentityAssertionFilter.java:doFilter(79)) - Required subject/identity not available. Check authentication/federation provider for proper configuration.
2020-11-11 08:13:48,100 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: java.lang.IllegalStateException: Required Subject Missing
2020-11-11 08:13:48,100 ERROR knox.gateway (GatewayFilter.java:doFilter(169)) - Gateway processing failed: javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:64)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:167)
at org.apache.knox.gateway.GatewayServlet.doFilter(GatewayServlet.java:158)
..........
Caused by: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:80)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
... 48 more
Any suggestions will be very much helpful.
Thanks
Jithesh

Liberty login error in trace log for wim model message - ClassCastException Entity and LoginAccount

I have configured Websphere Liberty to use LDAP to authenticate user. I have enabled security trace -
com.ibm.ws.security.=all:com.ibm.ws.webcontainer.security.=all:com.ibm.oauth.=all:com.ibm.wsspi.security.oauth20.=all:com.ibm.ws.transport.http.=all:org.apache.http.client.=all
I have following feature list enabled in WebSphere Liberty v17.0.0.3,
webProfile-7.0, javaMail-1.5, ldapRegistry-3.0 and localConnector-1.0.
However, secure content is failing with error HTTP 401 (Unauthenticated).
In trace file, I can see that LDAP is able to return logged in user data. But WebSphere Liberty is failing with error -
com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
java.lang.ClassCastException: com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:203)
at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:316)
at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:104)
Please help guide if this error is due to any configuration problem.

The problem was resolved after correcting configuration of registry used. I was using LDAP registry and had mentioned LDAP server type as Tivoli. This was causing the problem in Subject class being returned from LDAP not matching expected class in Liberty. Once I changed LDAP service type to Custom, this error got resolved. Below is the tag for LDAP registry I used in server.xml
<ldapRegistry baseDN="ou=xxxxxxxx,o=xxxxxx" host="xxxxxxxxxxxxxxx" id="xxxxxxxxxxx" ldapType="Custom" port="636" realm="xx" recursiveSearch="true" sslEnabled="true" sslRef="sslrepo1">
<customFilters userFilter="(&(mail=%v)(objectclass=ePerson))" userIdMap="*:mail"/>
</ldapRegistry>

Spark - Cosmos - connector problems

I am playing around with the Azure Spark-CosmosDB connector which lets you access CosmosDB nodes directly from a Spark cluster for analytics using Jupyter on HDINsight
I have been following the steps described here,including uploading the required jars to Azure storage and executing the %%configure magic to prepare the environment.
But it always seems to terminate due to an I/O exception when trying to open the jar (see yarn log below)
17/10/09 20:10:35 INFO ApplicationMaster: Final app status: FAILED, exitCode: 15, (reason: User class threw exception: java.io.IOException: Error accessing /mnt/resource/hadoop/yarn/local/usercache/livy/appcache/application_1507534135641_0014/container_1507534135641_0014_01_000001/azure-cosmosdb-spark-0.0.3-SNAPSHOT.jar)
17/10/09 20:10:35 ERROR ApplicationMaster: RECEIVED SIGNAL TERM
17/10/09 20:10:35 INFO ApplicationMaster: Unregistering ApplicationMaster with FAILED (diag message: User class threw exception: java.io.IOException: Error accessing /mnt/resource/hadoop/yarn/local/usercache/livy/appcache/application_1507534135641_0014/container_1507534135641_0014_01_000001/azure-cosmosdb-spark-0.0.3-SNAPSHOT.jar)`
Not sure whether this is related to the jar not being copied to the worker nodes.
any idea? thanks, Nick