You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Sailesh Mukil (JIRA)" <ji...@apache.org> on 2018/03/22 19:04:00 UTC

[jira] [Resolved] (IMPALA-6691) KRPC w/ kerberos fails on SLES11

     [ https://issues.apache.org/jira/browse/IMPALA-6691?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sailesh Mukil resolved IMPALA-6691.
-----------------------------------
       Resolution: Fixed
    Fix Version/s: Impala 2.12.0

> KRPC w/ kerberos fails on SLES11
> --------------------------------
>
>                 Key: IMPALA-6691
>                 URL: https://issues.apache.org/jira/browse/IMPALA-6691
>             Project: IMPALA
>          Issue Type: Sub-task
>    Affects Versions: Impala 3.0, Impala 2.12.0
>            Reporter: Sailesh Mukil
>            Assignee: Sailesh Mukil
>            Priority: Critical
>             Fix For: Impala 2.12.0
>
>
> The Kerberos version used in SLES 11 seems to have quite a few undocumented bugs. They have krb5-1.6 (krb5-client-1.6.3-133.49.112.1.x86_64).
> With KRPC we see a new error "GSSAPI Error: A required input parameter could not be read", which we've never seen before.
> I looked into the krb5 codebase and between krb5-1.6 and krb5-1.7, the code causing the above error (GSSAPI Error: A required input parameter could not be read) has changed subtly without any explanation as to why.
> That error string corresponds to GSS_S_CALL_INACCESSIBLE_READ.
> In 1.6, it returns an error if the 'input_token_buffer' string is empty:
> krb5-1.6:
> https://github.com/krb5/krb5/blob/krb5-1.6/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
> In 1.7, it returns an error only if the 'input_token_buffer' string is NULL:
> krb5-1.7:
> https://github.com/krb5/krb5/blob/krb5-1.7/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
> With KRPC, we test if Kerberos works by passing an empty string to SASL:
> https://github.com/apache/impala/blob/master/be/src/kudu/rpc/server_negotiation.cc#L289
> In 1.6, this is counted as an error, but in 1.7, this is completely fine. I'm not sure why since they haven't documented it.
> We can attempt to get KRPC working for SLES11 by removing the PreflightGSSAPI() check.
> (However there may be more issues on SLES11 that we're not yet aware of)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)