You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "surendra singh lilhore (JIRA)" <ji...@apache.org> on 2015/04/30 07:44:08 UTC
[jira] [Commented] (HADOOP-11888) bootstrapStandby command broken
in JDK1.8 with kerberos
[ https://issues.apache.org/jira/browse/HADOOP-11888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14520903#comment-14520903 ]
surendra singh lilhore commented on HADOOP-11888:
-------------------------------------------------
This issue we got in java 1.8 but same is working in java 1.7.
This log is from kerberos server
{code}
Apr 27 12:43:31 host-10-19-92-127 krb5kdc[9733](info): TGS_REQ (3 etypes {16 23 18}) 1.2.3.4: UNKNOWN_SERVER: authtime 0, dsperf/huawei@HADOOP.COM for HTTP/1.2.3.4@HADOOP.COM, Server not found in Kerberos database
Apr 27 12:43:31 host-10-19-92-127 krb5kdc[9733](info): TGS_REQ (3 etypes {16 23 18}) 1.2.3.4: UNKNOWN_SERVER: authtime 0, dsperf/huawei@HADOOP.COM for HTTP/1.2.3.4@HADOOP.COM, Server not found in Kerberos database
{code}
This problem is coming when standby namenode try to download fsimage from active namenode in bootstrapStandby command. SN will send HTTP request to AN and AN try to authenticate request.
AN will create SN spnego principal through this logic.
{code}
gssManager.createName(
KerberosUtil.getServicePrincipal("HTTP", serverName),
KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")),
{code}
But it’s not able to get hostname of SN, here *serverName* is IP of SN machine. Principal should be like this *HTTP/hostname@HADOOP.COM*
It is blocked issue, updating the Severity.
Attached the patch, please review.
> bootstrapStandby command broken in JDK1.8 with kerberos
> -------------------------------------------------------
>
> Key: HADOOP-11888
> URL: https://issues.apache.org/jira/browse/HADOOP-11888
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Environment: Suse 11 Sp3
> java = 1.8.0_40
> Reporter: Bibin A Chundatt
> Assignee: surendra singh lilhore
> Attachments: HADOOP-11888.patch
>
>
> bootstrapStandby is failing incase of JDK1.8 with kerberos
> ./hdfs namenode -bootstrapStandby
> {code}
> Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.client.AuthenticationException: Invalid SPNEGO sequence, status code: 403
> at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:335)
> at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:206)
> at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215)
> at org.apache.hadoop.hdfs.web.URLConnectionFactory.openConnection(URLConnectionFactory.java:162)
> at org.apache.hadoop.hdfs.server.namenode.TransferFsImage.doGetUrl(TransferFsImage.java:403)
> ... 16 more
> Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Invalid SPNEGO sequence, status code: 403
> at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.readToken(KerberosAuthenticator.java:370)
> at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.access$300(KerberosAuthenticator.java:55)
> at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:320)
> at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:288)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:288)
> ... 20 more
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)