You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Daryn Sharp (Commented) (JIRA)" <ji...@apache.org> on 2011/11/23 18:31:41 UTC

[jira] [Commented] (HADOOP-7853) multiple javax security configurations cause conflicts

    [ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155977#comment-13155977 ] 

Daryn Sharp commented on HADOOP-7853:
-------------------------------------

This was really "fun" to debug since it appears in specific cases.

The problem will cripple the JT's ability to accept incoming connections.  The JT will login and acquire a kerberos ticket on startup.  When the ticket is about to expire, the JT will logout & re-login to obtain a new ticket.  If the SPNEGO class has been loaded, the JT will logout and appear to re-login successfully.  Unfortunately the UGI's Subject will only contain unix credentials, but no kerberos ticket.  This is due to SPNEGO optionally requiring kerberos and not including the crucial HadoopLoginModule.

SPNEGO is unexpectedly loaded even if webhdfs is disabled.  What happens is that the token renewer service typically does not have to traverse into the webhdfs class to find a renewer.  We detected the problem when Oozie submitted a job with a hive token with a job.  The service loader walked all the renewer classes.  When webhdfs was loaded it triggered the loading of SPNEGO which stomped the security configuration.  At this point the JT refuses incoming connections.
                
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
>                 Key: HADOOP-7853
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7853
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.20.205.1
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration.  SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira