You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "zhouyingchao (JIRA)" <ji...@apache.org> on 2015/02/28 10:58:05 UTC

[jira] [Created] (HADOOP-11651) Handle kerberos authentication where there is no principal of HTTP/host@REALM

zhouyingchao created HADOOP-11651:
-------------------------------------

             Summary: Handle kerberos authentication where there is no principal of HTTP/host@REALM
                 Key: HADOOP-11651
                 URL: https://issues.apache.org/jira/browse/HADOOP-11651
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.6.0
            Reporter: zhouyingchao
            Assignee: zhouyingchao


In a testing cluster, the HTTP service principal is just HTTP/hdtst@REALM rather than HTTP/hostname@REALM. In this case, the following exception is thrown on active HDFS namenode when bootstrap the standy HDFS namenode:

2015-02-28,16:08:44,106 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:412)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1224)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
....
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
        at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:95)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
        at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
        at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
        at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
        at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
        at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
        at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:363)
...

We think our configuration is a valid use case and we should fix the issue. The attached patch has been tested and it works fine on our testing cluster.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)