You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/02/23 14:38:23 UTC
Review Request 31304: Storm service check failed after enabling
security with existing AD
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31304/
-----------------------------------------------------------
Review request for Ambari, Andrew Onischuk and Vitalyi Brodetskyi.
Bugs: AMBARI-9743
https://issues.apache.org/jira/browse/AMBARI-9743
Repository: ambari
Description
-------
On last stage, storm service check failed
```
1017 [main] INFO backtype.storm.StormSubmitter - Generated ZooKeeper secret payload for MD5-digest: -5540876373091122649:-7113320937502691642
1021 [main] INFO backtype.storm.security.auth.AuthUtils - Got AutoCreds []
1039 [main] WARN org.apache.storm.curator.retry.ExponentialBackoffRetry - maxRetries too large (60000). Pinning to 29
1043 [main] INFO backtype.storm.utils.StormBoundedExponentialBackoffRetry - The baseSleepTimeMs [2000] the maxSleepTimeMs [5] the maxRetries [60000]
1043 [main] WARN backtype.storm.utils.StormBoundedExponentialBackoffRetry - Misconfiguration: the baseSleepTimeMs [2000] can't be greater than the maxSleepTimeMs [5].
1847 [main] INFO org.apache.storm.zookeeper.Login - successfully logged in.
Exception in thread "main" java.lang.RuntimeException: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:99)
at backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:52)
at backtype.storm.utils.NimbusClient.getConfiguredClient(NimbusClient.java:36)
at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:211)
at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:150)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:63)
at javax.security.sasl.Sasl.createSaslClient(Sasl.java:372)
at org.apache.thrift7.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:127)
at backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
... 6 more
Caused by: GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))
at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127)
at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95)
at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:202)
at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:472)
at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:137)
at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:108)
... 12 more
```
The solution is to properly strip the service name from the principal value
Diffs
-----
ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/package/scripts/params.py 887132d
Diff: https://reviews.apache.org/r/31304/diff/
Testing
-------
Manually tested in cluster
Locally ran tests
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 50.941s
[INFO] Finished at: Mon Feb 23 08:13:41 EST 2015
[INFO] Final Memory: 64M/1228M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 31304: Storm service check failed after enabling
security with existing AD
Posted by Vitalyi Brodetskyi <vb...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31304/#review73557
-----------------------------------------------------------
Ship it!
Ship It!
- Vitalyi Brodetskyi
On Лют. 23, 2015, 1:38 після полудня, Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31304/
> -----------------------------------------------------------
>
> (Updated Лют. 23, 2015, 1:38 після полудня)
>
>
> Review request for Ambari, Andrew Onischuk and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-9743
> https://issues.apache.org/jira/browse/AMBARI-9743
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On last stage, storm service check failed
> ```
> 1017 [main] INFO backtype.storm.StormSubmitter - Generated ZooKeeper secret payload for MD5-digest: -5540876373091122649:-7113320937502691642
> 1021 [main] INFO backtype.storm.security.auth.AuthUtils - Got AutoCreds []
> 1039 [main] WARN org.apache.storm.curator.retry.ExponentialBackoffRetry - maxRetries too large (60000). Pinning to 29
> 1043 [main] INFO backtype.storm.utils.StormBoundedExponentialBackoffRetry - The baseSleepTimeMs [2000] the maxSleepTimeMs [5] the maxRetries [60000]
> 1043 [main] WARN backtype.storm.utils.StormBoundedExponentialBackoffRetry - Misconfiguration: the baseSleepTimeMs [2000] can't be greater than the maxSleepTimeMs [5].
> 1847 [main] INFO org.apache.storm.zookeeper.Login - successfully logged in.
> Exception in thread "main" java.lang.RuntimeException: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
> at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:99)
> at backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
> at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:52)
> at backtype.storm.utils.NimbusClient.getConfiguredClient(NimbusClient.java:36)
> at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:211)
> at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
> Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:150)
> at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:63)
> at javax.security.sasl.Sasl.createSaslClient(Sasl.java:372)
> at org.apache.thrift7.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
> at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:127)
> at backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
> at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
> ... 6 more
> Caused by: GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))
> at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127)
> at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95)
> at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:202)
> at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:472)
> at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
> at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
> at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:137)
> at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:108)
> ... 12 more
> ```
>
> The solution is to properly strip the service name from the principal value
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/package/scripts/params.py 887132d
>
> Diff: https://reviews.apache.org/r/31304/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> Locally ran tests
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 50.941s
> [INFO] Finished at: Mon Feb 23 08:13:41 EST 2015
> [INFO] Final Memory: 64M/1228M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 31304: Storm service check failed after enabling
security with existing AD
Posted by Robert Levas <rl...@hortonworks.com>.
> On Feb. 23, 2015, 8:54 a.m., Andrew Onischuk wrote:
> > I remember bugs when we had to lowecase the hostnames in principal names. I know it's not the scope of this jira. But look like we don't lowercase the hostnames that will result in bad kinit, if user has mixed cased FQNDs
We will have to look into why case comes into play for principal names, thanks for the heads up on this.
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31304/#review73561
-----------------------------------------------------------
On Feb. 23, 2015, 8:38 a.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31304/
> -----------------------------------------------------------
>
> (Updated Feb. 23, 2015, 8:38 a.m.)
>
>
> Review request for Ambari, Andrew Onischuk and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-9743
> https://issues.apache.org/jira/browse/AMBARI-9743
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On last stage, storm service check failed
> ```
> 1017 [main] INFO backtype.storm.StormSubmitter - Generated ZooKeeper secret payload for MD5-digest: -5540876373091122649:-7113320937502691642
> 1021 [main] INFO backtype.storm.security.auth.AuthUtils - Got AutoCreds []
> 1039 [main] WARN org.apache.storm.curator.retry.ExponentialBackoffRetry - maxRetries too large (60000). Pinning to 29
> 1043 [main] INFO backtype.storm.utils.StormBoundedExponentialBackoffRetry - The baseSleepTimeMs [2000] the maxSleepTimeMs [5] the maxRetries [60000]
> 1043 [main] WARN backtype.storm.utils.StormBoundedExponentialBackoffRetry - Misconfiguration: the baseSleepTimeMs [2000] can't be greater than the maxSleepTimeMs [5].
> 1847 [main] INFO org.apache.storm.zookeeper.Login - successfully logged in.
> Exception in thread "main" java.lang.RuntimeException: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
> at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:99)
> at backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
> at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:52)
> at backtype.storm.utils.NimbusClient.getConfiguredClient(NimbusClient.java:36)
> at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:211)
> at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
> Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:150)
> at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:63)
> at javax.security.sasl.Sasl.createSaslClient(Sasl.java:372)
> at org.apache.thrift7.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
> at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:127)
> at backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
> at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
> ... 6 more
> Caused by: GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))
> at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127)
> at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95)
> at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:202)
> at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:472)
> at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
> at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
> at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:137)
> at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:108)
> ... 12 more
> ```
>
> The solution is to properly strip the service name from the principal value
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/package/scripts/params.py 887132d
>
> Diff: https://reviews.apache.org/r/31304/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> Locally ran tests
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 50.941s
> [INFO] Finished at: Mon Feb 23 08:13:41 EST 2015
> [INFO] Final Memory: 64M/1228M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 31304: Storm service check failed after enabling
security with existing AD
Posted by Andrew Onischuk <ao...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31304/#review73561
-----------------------------------------------------------
Ship it!
I remember bugs when we had to lowecase the hostnames in principal names. I know it's not the scope of this jira. But look like we don't lowercase the hostnames that will result in bad kinit, if user has mixed cased FQNDs
- Andrew Onischuk
On Feb. 23, 2015, 1:38 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31304/
> -----------------------------------------------------------
>
> (Updated Feb. 23, 2015, 1:38 p.m.)
>
>
> Review request for Ambari, Andrew Onischuk and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-9743
> https://issues.apache.org/jira/browse/AMBARI-9743
>
>
> Repository: ambari
>
>
> Description
> -------
>
> On last stage, storm service check failed
> ```
> 1017 [main] INFO backtype.storm.StormSubmitter - Generated ZooKeeper secret payload for MD5-digest: -5540876373091122649:-7113320937502691642
> 1021 [main] INFO backtype.storm.security.auth.AuthUtils - Got AutoCreds []
> 1039 [main] WARN org.apache.storm.curator.retry.ExponentialBackoffRetry - maxRetries too large (60000). Pinning to 29
> 1043 [main] INFO backtype.storm.utils.StormBoundedExponentialBackoffRetry - The baseSleepTimeMs [2000] the maxSleepTimeMs [5] the maxRetries [60000]
> 1043 [main] WARN backtype.storm.utils.StormBoundedExponentialBackoffRetry - Misconfiguration: the baseSleepTimeMs [2000] can't be greater than the maxSleepTimeMs [5].
> 1847 [main] INFO org.apache.storm.zookeeper.Login - successfully logged in.
> Exception in thread "main" java.lang.RuntimeException: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
> at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:99)
> at backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
> at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:52)
> at backtype.storm.utils.NimbusClient.getConfiguredClient(NimbusClient.java:36)
> at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:211)
> at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
> Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:150)
> at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:63)
> at javax.security.sasl.Sasl.createSaslClient(Sasl.java:372)
> at org.apache.thrift7.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
> at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:127)
> at backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
> at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
> ... 6 more
> Caused by: GSSException: Invalid name provided (Mechanism level: Illegal character in realm name; one of: '/', ':', '' (600))
> at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127)
> at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95)
> at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:202)
> at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:472)
> at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
> at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
> at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:137)
> at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:108)
> ... 12 more
> ```
>
> The solution is to properly strip the service name from the principal value
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/package/scripts/params.py 887132d
>
> Diff: https://reviews.apache.org/r/31304/diff/
>
>
> Testing
> -------
>
> Manually tested in cluster
>
> Locally ran tests
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 50.941s
> [INFO] Finished at: Mon Feb 23 08:13:41 EST 2015
> [INFO] Final Memory: 64M/1228M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>