You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@falcon.apache.org by "Balu Vellanki (JIRA)" <ji...@apache.org> on 2014/12/18 00:38:13 UTC

[jira] [Updated] (FALCON-954) Secure Kerberos setup : Falcon should periodically revalidate security credentials.

     [ https://issues.apache.org/jira/browse/FALCON-954?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Balu Vellanki updated FALCON-954:
---------------------------------
    Assignee: Sowmya Ramesh  (was: Balu Vellanki)

> Secure Kerberos setup : Falcon should periodically revalidate security credentials.
> -----------------------------------------------------------------------------------
>
>                 Key: FALCON-954
>                 URL: https://issues.apache.org/jira/browse/FALCON-954
>             Project: Falcon
>          Issue Type: Bug
>    Affects Versions: 0.6
>            Reporter: Balu Vellanki
>            Assignee: Sowmya Ramesh
>            Priority: Critical
>             Fix For: 0.7
>
>
> If the credentials are not validated regularly, entity actions like schedule, update and delete will fail with the following exception.
> {code}
> org.apache.falcon.FalconException: AUTHENTICATION : AUTHENTICATION : java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.falcon.workflow.engine.OozieWorkflowEngine.getJobDetails(OozieWorkflowEngine.java:1328)
> 	at org.apache.falcon.service.FalconTopicSubscriber.onMessage(FalconTopicSubscriber.java:100)
> 	at org.apache.activemq.ActiveMQMessageConsumer.dispatch(ActiveMQMessageConsumer.java:1229)
> 	at org.apache.activemq.ActiveMQSessionExecutor.dispatch(ActiveMQSessionExecutor.java:134)
> 	at org.apache.activemq.ActiveMQSessionExecutor.iterate(ActiveMQSessionExecutor.java:205)
> 	at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:122)
> 	at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:43)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 	at java.lang.Thread.run(Thread.java:744)
> Caused by: AUTHENTICATION : AUTHENTICATION : java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:306)
> 	at org.apache.falcon.workflow.engine.OozieWorkflowEngine.getJobDetails(OozieWorkflowEngine.java:1317)
> 	... 9 more
> Caused by: AUTHENTICATION : java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:321)
> 	at org.apache.oozie.client.OozieClient.getJobInfo(OozieClient.java:780)
> 	at org.apache.oozie.client.ProxyOozieClient.access$1201(ProxyOozieClient.java:48)
> 	at org.apache.oozie.client.ProxyOozieClient$12.call(ProxyOozieClient.java:302)
> 	at org.apache.oozie.client.ProxyOozieClient$12.call(ProxyOozieClient.java:299)
> 	at org.apache.oozie.client.OozieClient.doAs(OozieClient.java:191)
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:299)
> 	... 10 more
> Caused by: java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1609)
> 	at org.apache.oozie.client.ProxyOozieClient.createConnection(ProxyOozieClient.java:87)
> 	at org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:478)
> 	at org.apache.oozie.client.OozieClient.getJobInfo(OozieClient.java:802)
> 	at org.apache.oozie.client.ProxyOozieClient.access$1301(ProxyOozieClient.java:48)
> 	at org.apache.oozie.client.ProxyOozieClient$13.call(ProxyOozieClient.java:317)
> 	at org.apache.oozie.client.ProxyOozieClient$13.call(ProxyOozieClient.java:314)
> 	at org.apache.oozie.client.OozieClient.doAs(OozieClient.java:191)
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:314)
> 	... 16 more
> Caused by: AUTHENTICATION : Could not authenticate, GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
> 	at org.apache.oozie.client.AuthOozieClient.createTokenBasedAuthConnection(AuthOozieClient.java:156)
> 	at org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:209)
> 	at org.apache.oozie.client.ProxyOozieClient.access$001(ProxyOozieClient.java:48)
> 	at org.apache.oozie.client.ProxyOozieClient$1.run(ProxyOozieClient.java:89)
> 	at org.apache.oozie.client.ProxyOozieClient$1.run(ProxyOozieClient.java:87)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1594)
> 	... 24 more
> Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196)
> 	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232)
> 	at org.apache.oozie.client.AuthOozieClient.createTokenBasedAuthConnection(AuthOozieClient.java:148)
> 	... 31 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
> 	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
> 	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
> 	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
> 	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:261)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:261)
> 	... 34 more
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)