You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Tim Armstrong (JIRA)" <ji...@apache.org> on 2019/04/24 20:24:00 UTC

[jira] [Commented] (IMPALA-6691) KRPC w/ kerberos fails on SLES11

    [ https://issues.apache.org/jira/browse/IMPALA-6691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16825479#comment-16825479 ] 

Tim Armstrong commented on IMPALA-6691:
---------------------------------------

We've seen a similar error message pop up occur when there is some kind of health issue with a host, leading to a communication error:
{noformat}
From Driver logs: Client connection negotiation failed: client connection to <ip address A>:27000: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)

From Impalad logs: query-state.cc:412] Instance completed. instance_id=... #in-flight=1 status=GENERAL: TransmitData() to <ip address A>:27000 failed: Not authorized: Client connection negotiation failed: client connection to <ip address A>:27000: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
{noformat}
Leaving here as documentation that errors this this are *not* necessarily IMPALA-6691.


> KRPC w/ kerberos fails on SLES11
> --------------------------------
>
>                 Key: IMPALA-6691
>                 URL: https://issues.apache.org/jira/browse/IMPALA-6691
>             Project: IMPALA
>          Issue Type: Sub-task
>    Affects Versions: Impala 3.0, Impala 2.12.0
>            Reporter: Sailesh Mukil
>            Assignee: Sailesh Mukil
>            Priority: Critical
>             Fix For: Impala 2.12.0
>
>
> The Kerberos version used in SLES 11 seems to have quite a few undocumented bugs. They have krb5-1.6 (krb5-client-1.6.3-133.49.112.1.x86_64).
> With KRPC we see a new error "GSSAPI Error: A required input parameter could not be read", which we've never seen before.
> I looked into the krb5 codebase and between krb5-1.6 and krb5-1.7, the code causing the above error (GSSAPI Error: A required input parameter could not be read) has changed subtly without any explanation as to why.
> That error string corresponds to GSS_S_CALL_INACCESSIBLE_READ.
> In 1.6, it returns an error if the 'input_token_buffer' string is empty:
> krb5-1.6:
> https://github.com/krb5/krb5/blob/krb5-1.6/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
> In 1.7, it returns an error only if the 'input_token_buffer' string is NULL:
> krb5-1.7:
> https://github.com/krb5/krb5/blob/krb5-1.7/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
> With KRPC, we test if Kerberos works by passing an empty string to SASL:
> https://github.com/apache/impala/blob/master/be/src/kudu/rpc/server_negotiation.cc#L289
> In 1.6, this is counted as an error, but in 1.7, this is completely fine. I'm not sure why since they haven't documented it.
> We can attempt to get KRPC working for SLES11 by removing the PreflightGSSAPI() check.
> (However there may be more issues on SLES11 that we're not yet aware of)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org