You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Bibin A Chundatt (JIRA)" <ji...@apache.org> on 2015/06/16 18:10:01 UTC

[jira] [Commented] (YARN-3810) Rest API failing when ip configured in RM address in secure https mode

    [ https://issues.apache.org/jira/browse/YARN-3810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14588285#comment-14588285 ] 

Bibin A Chundatt commented on YARN-3810:
----------------------------------------

Analysis

{{KerberosAuthenticationHandler#serverSubject}}  initialized with *HTTP/<IP>@HADOOP.COM* because {{HttpServer2#hostname}} is not resolved as hostname in {{HttpServer2#build()}}
{code}

 if (hostName == null) {
        hostName = endpoints.get(0).getHost();
      }

{code}

Since the same is initialized as IP in {{HttpServer2#initSpnego}} "kerberos.principal" will be set as *"HTTP/<IP>@HADOOP.COM"*




> Rest API failing when ip configured in RM address in secure https mode
> ----------------------------------------------------------------------
>
>                 Key: YARN-3810
>                 URL: https://issues.apache.org/jira/browse/YARN-3810
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Bibin A Chundatt
>            Assignee: Bibin A Chundatt
>            Priority: Critical
>
> Steps to reproduce
> ===============
> 1.Configure hadoop.http.authentication.kerberos.principal as below
> {code:xml}
>   <property>
>     <name>hadoop.http.authentication.kerberos.principal</name>
>     <value>HTTP/_HOST@HADOOP.COM</value>
>   </property>
> {code}
> 2. In RM web address also configure IP 
> 3. Startup RM 
> Call Rest API for RM  {{ curl -i -k  --insecure --negotiate -u : https IP /ws/v1/cluster/info"}}
> *Actual*
> Rest API  failing
> {code}
> 2015-06-16 19:03:49,845 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
> 	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348)
> 	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
> 	at org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter.doFilter(RMAuthenticationFilter.java:82)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)