You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2018/01/08 19:48:02 UTC
[jira] [Updated] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration

     [ https://issues.apache.org/jira/browse/KNOX-1162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Larry McCay updated KNOX-1162:
------------------------------
    Fix Version/s: 1.1.0

> Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
> ----------------------------------------------------------------
>
>                 Key: KNOX-1162
>                 URL: https://issues.apache.org/jira/browse/KNOX-1162
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 0.14.0
>            Reporter: Kevin Minder
>            Priority: Minor
>             Fix For: 1.1.0
>
>
> When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails to start and the information in gateway.log isn't at all helpful.  So two requests
> # Logging should indicate at a minimum what file contains the issue.
> # All fatal issues should log stack traces without requiring enabling debug logging.
> This is the error shown in gateway.log
> {code}
> 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - Failed to start gateway: java.lang.SecurityException: java.io.IOException: Configuration Error:
>         Line 7: expected [option key]
> {code}
> When you enabled debug logging you get somewhat better information.
> {code}
> 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - Failed to start gateway: java.lang.SecurityException: java.io.IOException: Configuration Error:
>         Line 7: expected [option key]
> java.lang.SecurityException: java.io.IOException: Configuration Error:
>         Line 7: expected [option key]
>         at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
>         at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>         at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>         at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>         at java.lang.Class.newInstance(Class.java:442)
>         at javax.security.auth.login.Configuration$2.run(Configuration.java:255)
>         at javax.security.auth.login.Configuration$2.run(Configuration.java:247)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
>         at org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:52)
>         at org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59)
>         at org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80)
>         at org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113)
>         at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
>         at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
>         at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99)
>         at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
>         at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
> Caused by: java.io.IOException: Configuration Error:
>         Line 7: expected [option key]
>         at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
>         at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
>         at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477)
>         at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
>         at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
>         at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
>         at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
>         ... 24 more
> {code}
> Lastly the particular configuration error in conf/krb5JAASLogin.conf was missing quotes for the keyTab and principal values.  Note, portions of the principal have been scrubbed and replaced with tokens (e.g. <host-name>)
> {code}
> com.sun.security.jgss.initiate {
>     com.sun.security.auth.module.Krb5LoginModule required
>     renewTGT=true
>     doNotPrompt=true
>     useKeyTab=true
>     keyTab=/usr/hdp/current/knox-server/conf/knox.keytab
>     principal=knox/<host-name>@<realm-name>
>     isInitiator=true
>     storeKey=true
>     useTicketCache=true
>     client=true;
> };
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)