You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Vipin Rathor (JIRA)" <ji...@apache.org> on 2018/01/19 02:28:00 UTC
[jira] [Commented] (METRON-1412) Downgrade to HttpClient v4.5.1 to
avoid known Kerberos issue
[ https://issues.apache.org/jira/browse/METRON-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16331639#comment-16331639 ]
Vipin Rathor commented on METRON-1412:
--------------------------------------
From mailing list discussion,
{quote}When Metron Rest trying to connect to Storm, error is thrown as no Server not found in Kerberos database (7) - LOOKING_UP_SERVER
>>>KRBError: cTime is Thu Oct 28 12:56:54 AEST 1971 57466614000 sTime is Wed Jan 03 22:57:12 AEDT 2018 1514980632000 suSec is 418131 error code is 7 error Message is Server not found in Kerberos database cname is [metron@XXXXX.COM|mailto:metron@XXXXX.COM] sname is *[HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM|mailto:HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM]* msgType is 30 KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
In KDC there is no principal with [HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM|mailto:HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM]
We can see only *[HTTP/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM|mailto:HTTP/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM]*
If we add manually principal ([HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM|mailto:HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM]) using kadmin in kerberos server, getting error as checksum failed
Jan 03, 2018 10:32:20 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.web.client.RestClientException: Error running rest call; nested exception is org.springframework.web.client.HttpClientErrorException: 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)] with root cause org.springframework.web.client.HttpClientErrorException: 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91) at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:667) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:620)
{quote}
> Downgrade to HttpClient v4.5.1 to avoid known Kerberos issue
> ------------------------------------------------------------
>
> Key: METRON-1412
> URL: https://issues.apache.org/jira/browse/METRON-1412
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.4.1, 0.4.3
> Reporter: Vipin Rathor
> Priority: Major
> Attachments: METRON-1412.001.patch
>
>
> This issue was reported & discussed in Metron user mailing list by Prakash R.
> Summary:
> When Kerberos authentication is enabled for Hadoop cluster, Metron Rest service tries to connect to Storm by using a wrong principal name HTTPS/<host-fqdn>.
> Root Cause:
> This is due to a known bug in HttpClient library introduced in v4.5.2 onwards. Fix would be to downgrade HttpClient to 4.5.1.
> Reference:
> https://issues.apache.org/jira/browse/KNOX-762
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)