You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2015/03/25 03:31:52 UTC

[jira] [Resolved] (ACCUMULO-3695) Authentication check for system user incorrect for multiple nodes

     [ https://issues.apache.org/jira/browse/ACCUMULO-3695?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josh Elser resolved ACCUMULO-3695.
----------------------------------
    Resolution: Fixed

> Authentication check for system user incorrect for multiple nodes
> -----------------------------------------------------------------
>
>                 Key: ACCUMULO-3695
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3695
>             Project: Accumulo
>          Issue Type: Bug
>          Components: master, monitor, trace, tserver
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: 1.7.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Was testing out a multiple node install of Accumulo with Kerberos via Ambari (post AMBARI-10163), and noticed that all but the one node could communicate out.
> {noformat}
> 2015-03-25 01:08:19,252 [impl.SecurityOperationsImpl] DEBUG: Provided credentials did not match server's expected credentials. Expected org.apache.accumulo.server.security.SystemCredentials:accumulo/c6402.ambari.apache.org@EXAMPLE.COM:org.apache.accumulo.server.security.SystemCredentials$SystemToken:<hidden> but got org.apache.accumulo.core.security.Credentials:accumulo/c6401.ambari.apache.org@EXAMPLE.COM:org.apache.accumulo.server.security.SystemCredentials$SystemToken:<hidden>
> 2015-03-25 01:08:19,258 [tserver.TabletServer] WARN : Got loadTablet message from unauthenticatable user: accumulo/c6401.ambari.apache.org@EXAMPLE.COM
> 2015-03-25 01:08:19,258 [tserver.TabletServer] ERROR: Got message from a service with a mismatched configuration. Please ensure a compatible configuration.
> ThriftSecurityException(user:accumulo/c6401.ambari.apache.org@EXAMPLE.COM, code:BAD_CREDENTIALS)
>         at org.apache.accumulo.server.security.SecurityOperation.authenticate(SecurityOperation.java:170)
>         at org.apache.accumulo.server.security.AuditedSecurityOperation.authenticate(AuditedSecurityOperation.java:450)
>         at org.apache.accumulo.server.security.SecurityOperation.canPerformSystemActions(SecurityOperation.java:437)
>         at org.apache.accumulo.tserver.TabletServer$ThriftClientHandler.checkPermission(TabletServer.java:1385)
>         at org.apache.accumulo.tserver.TabletServer$ThriftClientHandler.loadTablet(TabletServer.java:1445)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at org.apache.accumulo.core.trace.wrappers.RpcServerInvocationHandler.invoke(RpcServerInvocationHandler.java:46)
>         at org.apache.accumulo.server.rpc.RpcWrapper$1.invoke(RpcWrapper.java:47)
>         at com.sun.proxy.$Proxy22.loadTablet(Unknown Source)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at org.apache.accumulo.server.rpc.TCredentialsUpdatingInvocationHandler.invokeMethod(TCredentialsUpdatingInvocationHandler.java:154)
>         at org.apache.accumulo.server.rpc.TCredentialsUpdatingInvocationHandler.invoke(TCredentialsUpdatingInvocationHandler.java:58)
>         at com.sun.proxy.$Proxy22.loadTablet(Unknown Source)
>         at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Processor$loadTablet.getResult(TabletClientService.java:2633)
>         at org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Processor$loadTablet.getResult(TabletClientService.java:2619)
>         at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
>         at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
>         at org.apache.accumulo.server.rpc.UGIAssumingProcessor.process(UGIAssumingProcessor.java:102)
>         at org.apache.accumulo.server.rpc.TimedProcessor.process(TimedProcessor.java:63)
>         at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:225)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at org.apache.accumulo.core.util.LoggingRunnable.run(LoggingRunnable.java:35)
>         at java.lang.Thread.run(Thread.java:745)
> {noformat}
> I think what's happening is that when it realizes that it's the System user, it does a equality check on the Credentials object. This will never be true for multiple nodes since the instance component (the hostname) of the principal will always be different.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)