You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2015/05/06 05:27:20 UTC

[jira] [Updated] (HADOOP-11651) Handle kerberos authentication where there is no principal of HTTP/host@REALM

     [ https://issues.apache.org/jira/browse/HADOOP-11651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Allen Wittenauer updated HADOOP-11651:
--------------------------------------
    Labels: BB2015-05-TBR  (was: )

> Handle kerberos authentication where there is no principal of HTTP/host@REALM
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-11651
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11651
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: zhouyingchao
>            Assignee: zhouyingchao
>              Labels: BB2015-05-TBR
>         Attachments: HADOOP-11651-001.patch
>
>
> In a testing cluster, the HTTP service principal is just HTTP/hdtst@REALM rather than HTTP/hostname@REALM. In this case, the following exception is thrown on active HDFS namenode when bootstrap the standy HDFS namenode:
> 2015-02-28,16:08:44,106 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:412)
>         at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
>         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
>         at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1224)
>         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
>         at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
>         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
>         at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
> ....
> Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
>         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:95)
>         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
>         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
>         at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
>         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
>         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
>         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
>         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:363)
> ...
> We think our configuration is a valid use case and we should fix the issue. The attached patch has been tested and it works fine on our testing cluster.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)