You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Daryn Sharp (Created) (JIRA)" <ji...@apache.org> on 2011/11/23 18:21:41 UTC
[jira] [Created] (HADOOP-7853) multiple javax security
configurations cause conflicts
multiple javax security configurations cause conflicts
------------------------------------------------------
Key: HADOOP-7853
URL: https://issues.apache.org/jira/browse/HADOOP-7853
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 0.20.205.1
Reporter: Daryn Sharp
Assignee: Daryn Sharp
Priority: Blocker
Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160169#comment-13160169 ]
Alejandro Abdelnur commented on HADOOP-7853:
--------------------------------------------
+1, applied and run the affected testcases on trunk. We need to commit this to branch-0.23 and trunk. Thanks Daryn.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155982#comment-13155982 ]
Daryn Sharp commented on HADOOP-7853:
-------------------------------------
Kihwal Lee also deserves credit for helping track down this very elusive problem.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Matt Foley (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Foley updated HADOOP-7853:
-------------------------------
Target Version/s: 0.23.1, 1.0.0 (was: 1.0.0)
Fix Version/s: 1.0.0
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160131#comment-13160131 ]
Daryn Sharp commented on HADOOP-7853:
-------------------------------------
I appear to be getting "blamed" for pre-existing javadoc warnings... They occur in files that didn't I touch, or squawks about sun apis that I didn't add.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160883#comment-13160883 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Hdfs-trunk #881 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/881/])
HADOOP-7853. multiple javax security configurations cause conflicts. (daryn via tucu)
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208751
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155977#comment-13155977 ]
Daryn Sharp commented on HADOOP-7853:
-------------------------------------
This was really "fun" to debug since it appears in specific cases.
The problem will cripple the JT's ability to accept incoming connections. The JT will login and acquire a kerberos ticket on startup. When the ticket is about to expire, the JT will logout & re-login to obtain a new ticket. If the SPNEGO class has been loaded, the JT will logout and appear to re-login successfully. Unfortunately the UGI's Subject will only contain unix credentials, but no kerberos ticket. This is due to SPNEGO optionally requiring kerberos and not including the crucial HadoopLoginModule.
SPNEGO is unexpectedly loaded even if webhdfs is disabled. What happens is that the token renewer service typically does not have to traverse into the webhdfs class to find a renewer. We detected the problem when Oozie submitted a job with a hive token with a job. The service loader walked all the renewer classes. When webhdfs was loaded it triggered the loading of SPNEGO which stomped the security configuration. At this point the JT refuses incoming connections.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156233#comment-13156233 ]
Alejandro Abdelnur commented on HADOOP-7853:
--------------------------------------------
BTW, Nice hunting job.
And we need a patch for trunk and 0.23 for this.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Aaron T. Myers (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159724#comment-13159724 ]
Aaron T. Myers commented on HADOOP-7853:
----------------------------------------
The patch looks good to me, except that "privilege" is spelled incorrectly in "{{logPriviledgedAction}}".
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160549#comment-13160549 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Mapreduce-0.23-Build #110 (See [https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Build/110/])
Merge -r 1208750:1208751 from trunk to branch. FIXES: HADOOP-7853
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208755
Files :
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-7853:
--------------------------------
Status: Patch Available (was: Open)
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159736#comment-13159736 ]
Alejandro Abdelnur commented on HADOOP-7853:
--------------------------------------------
and the *setupMockJassParent()* method should do something like:
{code}
private static void setupMockJaasParent() {
javax.security.auth.login.Configuration existing = null;
try {
existing =javax.security.auth.login.Configuration.getConfiguration();
assertFalse("setupMockJaasParent should run before the Hadoop " +
"configuration provider is installed.",
existing.getClass().getCanonicalName()
.startsWith("org.apache.hadoop") && ! existing.getClass().getCanonicalName()
.endsWith("DummyLoginConfiguration"));
} catch (SecurityException se) {
// We get this if no configuration has been set. So it's OK.
}
mockJaasConf = mock(javax.security.auth.login.Configuration.class);
Mockito.doReturn(new AppConfigurationEntry[] {})
.when(mockJaasConf)
.getAppConfigurationEntry("foobar-app");
javax.security.auth.login.Configuration.setConfiguration(mockJaasConf);
}
{code}
Although, I'd question the need for the *testDelegateJaasConfiguration()* method. And If you agree, then all this mock thingy goes.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156231#comment-13156231 ]
Alejandro Abdelnur commented on HADOOP-7853:
--------------------------------------------
Using instance Kerberos configuration makes sense.
What I'm failing to understand is why a submission to Oozie made JT to fail?
Also, in the UGI, the Hadoop kerberos configuration has renewTGT set to true, why does UGI then need to have a thread for renewal (in spawnAutoRenewalThreadForUserCreds method)? Why even has to use kinit? What am I missing here?
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-7853:
---------------------------------------
Affects Version/s: 0.23.1
0.24.0
0.23.0
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160098#comment-13160098 ]
Daryn Sharp commented on HADOOP-7853:
-------------------------------------
I wasn't sure if the {{testDelegateJaasConfiguration()}} and mocking is necessary, so I left it in. After thinking about it further this morning, I agree with removal since the whole point of these tests is to ensure that UGI does not use the global config. The tests with mocked objects verified that UGI was chaining the global configs, but that implementation is removed by this patch.
Since I'll remove those tests, I don't think {{@Before}} and {{@After}} are necessary?
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159430#comment-13159430 ]
Alejandro Abdelnur commented on HADOOP-7853:
--------------------------------------------
Daryn, would be possible to prepare a patch for trunk? Thanks.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160874#comment-13160874 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Hdfs-HAbranch-build #2 (See [https://builds.apache.org/job/Hadoop-Hdfs-HAbranch-build/2/])
Merge -r 1208750:1208751 from trunk to branch. FIXES: HADOOP-7853
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208755
Files :
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-7853:
---------------------------------------
Resolution: Fixed
Fix Version/s: 0.23.1
0.24.0
Target Version/s: 0.23.1, 1.0.0 (was: 1.0.0, 0.23.1)
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
Committed to trunk & branch-0.23. Thanks Daryn
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159449#comment-13159449 ]
Daryn Sharp commented on HADOOP-7853:
-------------------------------------
Certainly, I was planning to start after lunch.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hadoop QA (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159385#comment-13159385 ]
Hadoop QA commented on HADOOP-7853:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12505500/HADOOP-7853-testfix-branch-1.0.0.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 6 new or modified tests.
-1 patch. The patch command could not apply the patch.
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/411//console
This message is automatically generated.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160320#comment-13160320 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Common-0.23-Commit #235 (See [https://builds.apache.org/job/Hadoop-Common-0.23-Commit/235/])
Merge -r 1208750:1208751 from trunk to branch. FIXES: HADOOP-7853
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208755
Files :
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160325#comment-13160325 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Mapreduce-trunk-Commit #1369 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/1369/])
HADOOP-7853. multiple javax security configurations cause conflicts. (daryn via tucu)
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208751
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159595#comment-13159595 ]
Daryn Sharp commented on HADOOP-7853:
-------------------------------------
Todd, please check that this patch doesn't defeat HADOOP-7070. The chained JAAS configs appeared to be an alternate method to prevent stomping of the global config.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-7853:
--------------------------------
Attachment: HADOOP-7853.patch
UGI and SPNEGO will now instantiate a LoginContext that explicitly uses their respective security configurations. Even if another class sets the global security conf, UGI and SPNEGO will not be affected.
Extra log debugs are included that were invaluable in tracking down this silent problem.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hadoop QA (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156019#comment-13156019 ]
Hadoop QA commented on HADOOP-7853:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12504901/HADOOP-7853-1.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 3 new or modified tests.
-1 patch. The patch command could not apply the patch.
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/398//console
This message is automatically generated.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Jitendra Nath Pandey (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13157431#comment-13157431 ]
Jitendra Nath Pandey commented on HADOOP-7853:
----------------------------------------------
Committed to 206 and 205.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160913#comment-13160913 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Mapreduce-trunk #914 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/914/])
HADOOP-7853. multiple javax security configurations cause conflicts. (daryn via tucu)
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208751
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Jitendra Nath Pandey (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156257#comment-13156257 ]
Jitendra Nath Pandey commented on HADOOP-7853:
----------------------------------------------
I agree to the approach taken in the patch. Some comments
1) Please wrap the LOG.debug statements with isLogDebugEnabled.
2) Indentation of logPriviledgedAction.
3) Change to SecurityUtil.java doesn't seem required.
4) DummyLoginConfiguration is a good idea. Please clarify in the comment that it is there to ensure that statically configured one is not used.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-7853:
--------------------------------
Attachment: HADOOP-7853-1.patch
patch failed to apply because path for the unit test included the parent dir. removed it.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159733#comment-13159733 ]
Alejandro Abdelnur commented on HADOOP-7853:
--------------------------------------------
The *testDelegateJaasConfiguration()* method sets a global context other than the dummy one (which is been set once once with @BeforeClass), if the test run in different order this may create error situations.
The setup of dummy should be done @Before and @After each testcase to avoid this.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Kihwal Lee (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kihwal Lee updated HADOOP-7853:
-------------------------------
Attachment: HADOOP-7853-testfix-branch-1.0.0.patch
The original patch breaks six test cases. I am attaching a patch that fixes the tests.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160310#comment-13160310 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Hdfs-trunk-Commit #1419 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/1419/])
HADOOP-7853. multiple javax security configurations cause conflicts. (daryn via tucu)
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208751
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hadoop QA (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159603#comment-13159603 ]
Hadoop QA commented on HADOOP-7853:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12505551/HADOOP-7853-trunk.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 6 new or modified tests.
-1 javadoc. The javadoc tool appears to have generated 2 warning messages.
-1 javac. The patch appears to cause tar ant target to fail.
-1 findbugs. The patch appears to cause Findbugs (version 1.3.9) to fail.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
-1 core tests. The patch failed the unit tests build
+1 contrib tests. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/413//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/413//console
This message is automatically generated.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160338#comment-13160338 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Mapreduce-0.23-Commit #245 (See [https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Commit/245/])
Merge -r 1208750:1208751 from trunk to branch. FIXES: HADOOP-7853
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208755
Files :
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160311#comment-13160311 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Common-trunk-Commit #1346 (See [https://builds.apache.org/job/Hadoop-Common-trunk-Commit/1346/])
HADOOP-7853. multiple javax security configurations cause conflicts. (daryn via tucu)
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208751
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-7853:
--------------------------------
Attachment: HADOOP-7853-1.patch
Per Jitendra's comments:
# Added {{isLogDebugEnabled}}
# Fixed
# I reverted 2 of the log lines. They made it easier to eyeball a noisy log but aren't strictly needed. I left the one line that dumps the subject when no TGT is found. The reason is this line is what finally led us to the problem when we saw that the subject contained only unix credentials.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-7853:
--------------------------------
Attachment: HADOOP-7853-1-trunk.patch
Thanks for the reviews!
# Corrected the misspelling of privilege.
# Removed the tests related to testing a chained UGI.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Kihwal Lee (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159377#comment-13159377 ]
Kihwal Lee commented on HADOOP-7853:
------------------------------------
Daryn, when you post the trunk version of the patch, make sure the test fix is included.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160317#comment-13160317 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Hdfs-0.23-Commit #233 (See [https://builds.apache.org/job/Hadoop-Hdfs-0.23-Commit/233/])
Merge -r 1208750:1208751 from trunk to branch. FIXES: HADOOP-7853
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208755
Files :
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Jitendra Nath Pandey (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159471#comment-13159471 ]
Jitendra Nath Pandey commented on HADOOP-7853:
----------------------------------------------
I fixed the breaking tests in HADOOP-7865 for branch-1. I just reverted the change to UGI#toString.
I agree with Kihwal to include his fix for the trunk patch.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Jitendra Nath Pandey (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13157432#comment-13157432 ]
Jitendra Nath Pandey commented on HADOOP-7853:
----------------------------------------------
Thanks to Daryn for the patch.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Jitendra Nath Pandey (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156325#comment-13156325 ]
Jitendra Nath Pandey commented on HADOOP-7853:
----------------------------------------------
+1. Looks good to me.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156270#comment-13156270 ]
Daryn Sharp commented on HADOOP-7853:
-------------------------------------
bq. BTW, Nice hunting job.
Thanks! You don't want to know how long this took to track this down. The problem manifested on only one grid, and it took 20-24 hours for the problem to show up. It was only this week that we made the association with hive and could reproduce the problem.
bq. What I'm failing to understand is why a submission to Oozie made JT to fail?
Sorry for the confusion. Technically it had nothing to do with oozie; the oozie job happened to contain a hive token. The hive token triggered the bug, but is not responsible for the bug.
Normally the token renewer service loader won't go past the hdfs, hftp, or mr renewers. The hive token caused it to load all of the renewer classes. The renewer classes are nested classes within the class that creates the token. The webhdfs class stomped on the config when activated by the service loader.
bq. Also, in the UGI, the Hadoop kerberos configuration has renewTGT set to true, why does UGI then need to have a thread for renewal (in spawnAutoRenewalThreadForUserCreds method)? Why even has to use kinit? What am I missing here?
I wondered about that too, but it was out of scope for this show stopping bug. Our env is using keytabs so it would have only been a distraction. It might deserve another jira.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hadoop QA (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155988#comment-13155988 ]
Hadoop QA commented on HADOOP-7853:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12504896/HADOOP-7853.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 3 new or modified tests.
-1 patch. The patch command could not apply the patch.
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/397//console
This message is automatically generated.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160868#comment-13160868 ]
Hudson commented on HADOOP-7853:
--------------------------------
Integrated in Hadoop-Hdfs-0.23-Build #94 (See [https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/94/])
Merge -r 1208750:1208751 from trunk to branch. FIXES: HADOOP-7853
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1208755
Files :
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java
* /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 0.24.0, 0.23.1, 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hadoop QA (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13160112#comment-13160112 ]
Hadoop QA commented on HADOOP-7853:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12505628/HADOOP-7853-1-trunk.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 6 new or modified tests.
-1 javadoc. The javadoc tool appears to have generated 15 warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in .
+1 contrib tests. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/414//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/414//console
This message is automatically generated.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1-trunk.patch, HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Daryn Sharp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-7853:
--------------------------------
Attachment: HADOOP-7853-trunk.patch
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 0.24.0, 0.23.1, 1.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 1.0.0
>
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853-testfix-branch-1.0.0.patch, HADOOP-7853-trunk.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7853) multiple javax security
configurations cause conflicts
Posted by "Hadoop QA (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156321#comment-13156321 ]
Hadoop QA commented on HADOOP-7853:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12504930/HADOOP-7853-1.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 3 new or modified tests.
-1 patch. The patch command could not apply the patch.
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/400//console
This message is automatically generated.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
> Key: HADOOP-7853
> URL: https://issues.apache.org/jira/browse/HADOOP-7853
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.20.205.1, 0.23.0, 0.24.0, 0.23.1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-7853-1.patch, HADOOP-7853-1.patch, HADOOP-7853.patch
>
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration. SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira