You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2019/02/15 23:19:00 UTC
[jira] [Work logged] (KNOX-1162) Improve diagnostics for
conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=199497&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-199497 ]
ASF GitHub Bot logged work on KNOX-1162:
----------------------------------------
Author: ASF GitHub Bot
Created on: 15/Feb/19 23:18
Start Date: 15/Feb/19 23:18
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration
URL: https://github.com/apache/knox/pull/55
## What changes were proposed in this pull request?
When there is a misconfiguration in the supplied JAAS configuration (i.e. `conf/krb5JAASLogin.conf`) the server fails to start and the information in gateway.log wasn't at all helpful. To make it better the following changes have been made:
- *all* `FATAL` messages are logged with the full stack trace
- in case the supplied JAAS configuration file does not exist or cannot be parsed we wrap the `IOException` coming from security login configuration into our own `ConfigurationException` with a meaningful error message
(an additional change is to fix a unit test case in `MatcherTest` to avoid compilation error; I'm not sure how it was working before but it constantly fails locally for me)
## How was this patch tested?
Added new unit test cases and executed them (including integration tests):
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 18:18 min (Wall Clock)
[INFO] Finished at: 2019-02-15T23:48:43+01:00
[INFO] Final Memory: 265M/1643M
[INFO] ------------------------------------------------------------------------
```
In addition to unit testing the following manual test has been executed:
1. stopped the gateway server
2. built and deployed the new version of the gateway server (with my changes)
3. updated `/etc/knox/conf/krb5JAASLogin.conf`: removed surrounding quotes from the `keytab` property (which is invalid)
4. tried to start the gateway. As expected it failed to start
5. checked the log file if the enhanced error message appeared:
```
2019-02-15 23:05:44,047 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: org.apache.knox.gateway.services.ServiceLifecycleException: Error while configuring registry authentication
org.apache.knox.gateway.services.ServiceLifecycleException: Error while configuring registry authentication
at org.apache.knox.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:81)
at org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:79)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: org.apache.knox.gateway.config.ConfigurationException: Error while getting secure configuration. This error usually indicates an issue within the supplied JAAS configuration: /etc/knox/conf/krb5JAASLogin.conf
at org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:71)
at org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:61)
at org.apache.knox.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:79)
... 11 more
Caused by: java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 7: expected [option key]
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at javax.security.auth.login.Configuration$2.run(Configuration.java:255)
at javax.security.auth.login.Configuration$2.run(Configuration.java:247)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
at org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:66)
... 13 more
Caused by: java.io.IOException: Configuration Error:
Line 7: expected [option key]
at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477)
at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
... 24 more
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 199497)
Time Spent: 10m
Remaining Estimate: 0h
> Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
> ----------------------------------------------------------------
>
> Key: KNOX-1162
> URL: https://issues.apache.org/jira/browse/KNOX-1162
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.14.0
> Reporter: Kevin Minder
> Assignee: Sandor Molnar
> Priority: Minor
> Fix For: 1.3.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails to start and the information in gateway.log isn't at all helpful. So two requests
> # Logging should indicate at a minimum what file contains the issue.
> # All fatal issues should log stack traces without requiring enabling debug logging.
> This is the error shown in gateway.log
> {code}
> 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - Failed to start gateway: java.lang.SecurityException: java.io.IOException: Configuration Error:
> Line 7: expected [option key]
> {code}
> When you enabled debug logging you get somewhat better information.
> {code}
> 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - Failed to start gateway: java.lang.SecurityException: java.io.IOException: Configuration Error:
> Line 7: expected [option key]
> java.lang.SecurityException: java.io.IOException: Configuration Error:
> Line 7: expected [option key]
> at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
> at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at java.lang.Class.newInstance(Class.java:442)
> at javax.security.auth.login.Configuration$2.run(Configuration.java:255)
> at javax.security.auth.login.Configuration$2.run(Configuration.java:247)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
> at org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:52)
> at org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59)
> at org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80)
> at org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113)
> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
> at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99)
> at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
> at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
> Caused by: java.io.IOException: Configuration Error:
> Line 7: expected [option key]
> at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
> at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
> at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477)
> at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
> at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
> at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
> at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
> ... 24 more
> {code}
> Lastly the particular configuration error in conf/krb5JAASLogin.conf was missing quotes for the keyTab and principal values. Note, portions of the principal have been scrubbed and replaced with tokens (e.g. <host-name>)
> {code}
> com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> renewTGT=true
> doNotPrompt=true
> useKeyTab=true
> keyTab=/usr/hdp/current/knox-server/conf/knox.keytab
> principal=knox/<host-name>@<realm-name>
> isInitiator=true
> storeKey=true
> useTicketCache=true
> client=true;
> };
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)