You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "Wing Yew Poon (Jira)" <ji...@apache.org> on 2019/10/16 22:20:00 UTC

[jira] [Resolved] (LIVY-692) Thrift server Kerberos authentication does not use configured principal

     [ https://issues.apache.org/jira/browse/LIVY-692?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wing Yew Poon resolved LIVY-692.
--------------------------------
    Resolution: Not A Bug

> Thrift server Kerberos authentication does not use configured principal
> -----------------------------------------------------------------------
>
>                 Key: LIVY-692
>                 URL: https://issues.apache.org/jira/browse/LIVY-692
>             Project: Livy
>          Issue Type: Bug
>          Components: Thriftserver
>    Affects Versions: 0.6.0
>            Reporter: Wing Yew Poon
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> I tried to use the Thrift server in Livy 0.6. I have a secure cluster, and I set
> {noformat}
> livy.server.thrift.authentication=KERBEROS
> {noformat}
> on the server side. I also have livy.server.auth.kerberos.keytab and livy.server.auth.kerberos.principal configured. In particular, in my system, I have
> {noformat}
> livy.server.auth.kerberos.principal=HTTP/<livy_server>@<REALM>
> {noformat}
> When I try to connect to the Thrift server using the beeline shipped with Hive, with
> {noformat}
> beeline -u 'jdbc:hive2://<livy_server>:<thrift_port>/<db>;principal=HTTP/<livy_server>@<REALM>'
> {noformat}
> it fails with
> {noformat}
> Error: Could not open client transport with JDBC Uri: ... :: Peer indicated failure: GSS initiate failed (state=08S01,code=0)
> {noformat}
> On the server side, the log shows
> {noformat}
> 2019-10-03 15:21:09,536 ERROR org.apache.thrift.transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES3 CBC mode with SHA1-KD)]
> 	at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199)
> 	at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
> 	at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
> 	at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> 	at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> 	at org.apache.livy.thriftserver.auth.TUGIAssumingTransportFactory$$anon$1.run(AuthBridgeServer.scala:143)
> 	at org.apache.livy.thriftserver.auth.TUGIAssumingTransportFactory$$anon$1.run(AuthBridgeServer.scala:142)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:360)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1710)
> 	at org.apache.livy.thriftserver.auth.TUGIAssumingTransportFactory.getTransport(AuthBridgeServer.scala:142)
> 	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES3 CBC mode with SHA1-KD)
> 	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> 	at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
> 	... 14 more
> Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES3 CBC mode with SHA1-KD
> 	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
> 	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
> 	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
> 	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
> 	... 17 more
> {noformat}
> On debugging, I found that the UGI in the TUGIAssumingTransportFactory is not that of the configured HTTP principal but the UGI of the service principal (livy).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)