You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2019/03/04 20:02:00 UTC
[jira] [Work logged] (KNOX-474) Improved Kerberos config validation
and diagnostics at startup
[ https://issues.apache.org/jira/browse/KNOX-474?focusedWorklogId=207400&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-207400 ]
ASF GitHub Bot logged work on KNOX-474:
---------------------------------------
Author: ASF GitHub Bot
Created on: 04/Mar/19 20:01
Start Date: 04/Mar/19 20:01
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #62: KNOX-474 - Added Kerberos related configuration validation at gateway startup time
URL: https://github.com/apache/knox/pull/62
## What changes were proposed in this pull request?
Added Kerberos related configuration validation at gateway startup time so that end-users would receive fast feedback in case of misconfiguration.
## How was this patch tested?
Adding new unit tests and running them:
```
$ mvn -T1C verify -Prelease,package
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 29:18 min (Wall Clock)
[INFO] Finished at: 2019-03-04T20:21:30+01:00
[INFO] Final Memory: 267M/1580M
[INFO] ------------------------------------------------------------------------
```
Additionally the following manual steps have been executed:
1.) Setting Kerberos configuration to a non-existing file:
```
$ sed -i 's/\/etc\/krb5.conf/\/etc\/krb5.conf_1/g' knox-1.3.0-SNAPSHOT/conf/gateway-site.xml
$ ./knox-1.3.0-SNAPSHOT/bin/gateway.sh start
Starting Gateway failed.
$ tail -n 22 knox-1.3.0-SNAPSHOT/logs/gateway.log
2019-03-04 19:29:58,549 INFO knox.gateway (GatewayConfigImpl.java:loadConfigFile(402)) - Loading configuration file /home/knox/knox-1.3.0-SNAPSHOT/bin/../conf/gateway-site.xml
2019-03-04 19:29:58,579 INFO knox.gateway (GatewayConfigImpl.java:initGatewayHomeDir(346)) - Using /home/knox/knox-1.3.0-SNAPSHOT/bin/.. as GATEWAY_HOME via system property.
2019-03-04 19:29:58,579 INFO knox.gateway (GatewayConfigImpl.java:init(339)) - Cookie scoping feature enabled: false
2019-03-04 19:29:58,612 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: org.apache.knox.gateway.config.GatewayConfigurationException: Found configurations errors:
java.security.krb5.conf is set to a non-existing file: /etc/krb5.conf_1
org.apache.knox.gateway.config.GatewayConfigurationException: Found configurations errors:
java.security.krb5.conf is set to a non-existing file: /etc/krb5.conf_1
at org.apache.knox.gateway.config.impl.GatewayConfigImpl.validate(GatewayConfigImpl.java:257)
at org.apache.knox.gateway.config.impl.GatewayConfigImpl.<init>(GatewayConfigImpl.java:240)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:153)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
```
2.) Setting Kerberos Login configuration to a non-existing file (kept the previous change as well):
```
$ sed -i 's/\/etc\/knox\/conf\/krb5JAASLogin.conf/\/etc\/knox\/conf\/krb5JAASLogin.conf_2/g' knox-1.3.0-SNAPSHOT/conf/gateway-site.xml
$ rm knox-1.3.0-SNAPSHOT/logs/gateway.log
$ ./knox-1.3.0-SNAPSHOT/bin/gateway.sh start
Starting Gateway failed.
$ tail -n 22 knox-1.3.0-SNAPSHOT/logs/gateway.log
2019-03-04 19:33:25,559 INFO knox.gateway (GatewayConfigImpl.java:loadConfigFile(402)) - Loading configuration file /home/knox/knox-1.3.0-SNAPSHOT/bin/../conf/gateway-site.xml
2019-03-04 19:33:25,603 INFO knox.gateway (GatewayConfigImpl.java:initGatewayHomeDir(346)) - Using /home/knox/knox-1.3.0-SNAPSHOT/bin/.. as GATEWAY_HOME via system property.
2019-03-04 19:33:25,603 INFO knox.gateway (GatewayConfigImpl.java:init(339)) - Cookie scoping feature enabled: false
2019-03-04 19:33:25,608 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: org.apache.knox.gateway.config.GatewayConfigurationException: Found configurations errors:
java.security.auth.login.config is set to a non-existing file: /etc/knox/conf/krb5JAASLogin.conf_2
java.security.krb5.conf is set to a non-existing file: /etc/krb5.conf_1
org.apache.knox.gateway.config.GatewayConfigurationException: Found configurations errors:
java.security.auth.login.config is set to a non-existing file: /etc/knox/conf/krb5JAASLogin.conf_2
java.security.krb5.conf is set to a non-existing file: /etc/krb5.conf_1
at org.apache.knox.gateway.config.impl.GatewayConfigImpl.validate(GatewayConfigImpl.java:257)
at org.apache.knox.gateway.config.impl.GatewayConfigImpl.<init>(GatewayConfigImpl.java:240)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:153)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
```
3.) Reverted previous 2 changes and set the keytab file to a non-exising file in the supplied Kerberos login configuration:
```
$ sed -i 's/\/etc\/knox\/conf\/krb5JAASLogin.conf_2/\/etc\/knox\/conf\/krb5JAASLogin.conf/g' knox-1.3.0-SNAPSHOT/conf/gateway-site.xml
$ sed -i 's/\/etc\/krb5.conf_1/\/etc\/krb5.conf/g' knox-1.3.0-SNAPSHOT/conf/gateway-site.xml
$ sed -i 's/knox.service.keytab/knox.service.keytab_3/g' /etc/knox/conf/krb5JAASLogin.conf
$ rm knox-1.3.0-SNAPSHOT/logs/gateway.log
$ ./knox-1.3.0-SNAPSHOT/bin/gateway.sh start
Starting Gateway succeeded with PID 13362.
$ ./knox-1.3.0-SNAPSHOT/bin/gateway.sh status
Gateway is not running. No PID file found.
$ tail -25 knox-1.3.0-SNAPSHOT/logs/gateway.log
2019-03-04 19:39:43,761 INFO knox.gateway (GatewayServer.java:setSystemProperty(249)) - System Property: gateway.hadoop.kerberos.secured=true
2019-03-04 19:39:43,761 INFO knox.gateway (GatewayServer.java:setSystemProperty(249)) - System Property: java.security.krb5.conf=/etc/krb5.conf
2019-03-04 19:39:43,761 INFO knox.gateway (GatewayServer.java:setSystemProperty(249)) - System Property: sun.security.krb5.debug=false
2019-03-04 19:39:43,761 INFO knox.gateway (GatewayServer.java:setSystemProperty(249)) - System Property: java.security.auth.login.config=/etc/knox/conf/krb5JAASLogin.conf
2019-03-04 19:39:43,761 INFO knox.gateway (GatewayServer.java:setSystemProperty(249)) - System Property: javax.security.auth.useSubjectCredsOnly=false
2019-03-04 19:39:45,481 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: org.apache.knox.gateway.services.ServiceLifecycleException: Error while configuring registry authentication
org.apache.knox.gateway.services.ServiceLifecycleException: Error while configuring registry authentication
at org.apache.knox.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:81)
at org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:79)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: org.apache.knox.gateway.config.ConfigurationException: The specified keytab file /etc/security/keytabs/knox.service.keytab_3 is either non-existing or cannot be read!
at org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.validateKeytabFile(RemoteConfigurationRegistryJAASConfig.java:106)
at org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:79)
at org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:67)
at org.apache.knox.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:79)
... 11 more
```
4. Reverted back the previous change and confirmed the gateway started as usual:
```
$ sed -i 's/knox.service.keytab_3/knox.service.keytab/g' /etc/knox/conf/krb5JAASLogin.conf
$ ./knox-1.3.0-SNAPSHOT/bin/gateway.sh start
Starting Gateway succeeded with PID 18274.
$ ./knox-1.3.0-SNAPSHOT/bin/gateway.sh status
Gateway is running with PID 18274.
$ tail -F knox-1.3.0-SNAPSHOT/logs/gateway.log
2019-03-04 19:44:52,769 INFO knox.gateway (GatewayServer.java:handleCreateDeployment(880)) - Deploying topology admin to /home/knox/knox-1.3.0-SNAPSHOT/data/deployments/admin.topo.16948881e10
2019-03-04 19:44:52,769 INFO knox.gateway (GatewayServer.java:internalDeactivateTopology(799)) - Deactivating topology admin
2019-03-04 19:44:53,692 INFO knox.gateway (DefaultGatewayServices.java:initializeContribution(239)) - Credential store found for the cluster: admin - no need to create one.
2019-03-04 19:44:53,769 INFO knox.gateway (GatewayServer.java:internalActivateTopology(765)) - Activating topology admin
2019-03-04 19:44:53,769 INFO knox.gateway (GatewayServer.java:internalActivateArchive(775)) - Activating topology admin archive %2F
2019-03-04 19:44:53,770 INFO knox.gateway (GatewayServer.java:cleanupTopologyDeployments(288)) - Deleting backup deployed topology /home/knox/knox-1.3.0-SNAPSHOT/data/deployments/admin.topo.169481df648
2019-03-04 19:44:53,771 INFO knox.gateway (GatewayServer.java:handleCreateDeployment(897)) - Loading topology default from /home/knox/knox-1.3.0-SNAPSHOT/data/deployments/default.topo.16938708cb0
2019-03-04 19:44:53,772 INFO knox.gateway (GatewayServer.java:internalActivateTopology(765)) - Activating topology default
2019-03-04 19:44:53,772 INFO knox.gateway (GatewayServer.java:internalActivateArchive(775)) - Activating topology default archive %2F
2019-03-04 19:44:53,998 INFO knox.gateway (GatewayServer.java:start(563)) - Topology port mapping feature enabled: true
2019-03-04 19:44:58,655 INFO knox.gateway (GatewayServer.java:start(598)) - Monitoring topologies in directory: /home/knox/knox-1.3.0-SNAPSHOT/conf/topologies
2019-03-04 19:44:58,685 INFO knox.gateway (GatewayServer.java:startGateway(321)) - Started gateway on port 8,443.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 207400)
Time Spent: 10m
Remaining Estimate: 0h
> Improved Kerberos config validation and diagnostics at startup
> --------------------------------------------------------------
>
> Key: KNOX-474
> URL: https://issues.apache.org/jira/browse/KNOX-474
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.4.0
> Reporter: Kevin Minder
> Assignee: Sandor Molnar
> Priority: Major
> Labels: security
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In gateway-site.xml, if gateway.hadoop.kerberos.secured=true
> # Complain or fail to start if there is a kinited principal.
> # Complain or fail to start if the file referenced via java.security.krb5.conf cannot be read.
> # Complain or fail to start if the file referenced via java.security.auth.login.config cannot be read.
> # Read the file referenced via java.security.auth.login.config complain or fail to start if the keyTab file referenced in the com.sun.security.jgss.initiate section there cannot be read.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)