You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Arpit Gupta (JIRA)" <ji...@apache.org> on 2013/02/23 01:08:14 UTC

[jira] [Commented] (HBASE-7913) Secure Rest server should login before getting an instance of rest servlet

    [ https://issues.apache.org/jira/browse/HBASE-7913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13584855#comment-13584855 ] 

Arpit Gupta commented on HBASE-7913:
------------------------------------

Moving the code

{code}
if (User.isSecurityEnabled() && User.isHBaseSecurityEnabled(conf)) {
      String machineName = Strings.domainNamePointerToHostName(
        DNS.getDefaultHost(conf.get("hbase.rest.dns.interface", "default"),
          conf.get("hbase.rest.dns.nameserver", "default")));
      User.login(conf, "hbase.rest.keytab.file", "hbase.rest.kerberos.principal",
        machineName);
    }
{code}

to before the 

{code}
RESTServlet servlet = RESTServlet.getInstance(conf);
{code}

solves the issue
                
> Secure Rest server should login before getting an instance of rest servlet
> --------------------------------------------------------------------------
>
>                 Key: HBASE-7913
>                 URL: https://issues.apache.org/jira/browse/HBASE-7913
>             Project: HBase
>          Issue Type: Bug
>          Components: REST
>    Affects Versions: 0.96.0, 0.94.5
>            Reporter: Arpit Gupta
>             Fix For: 0.94.6
>
>
> Fails with exception
> {code}
> avax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
>         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
>         at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:139)
>         at org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.setupSaslConnection(SecureClient.java:194)
>         at org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.access$500(SecureClient.java:92)
>         at org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection$2.run(SecureClient.java:302)
>         at org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection$2.run(SecureClient.java:299)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:396)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1178)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at org.apache.hadoop.hbase.util.Methods.call(Methods.java:37)
>         at org.apache.hadoop.hbase.security.User.call(User.java:590)
>         at org.apache.hadoop.hbase.security.User.access$700(User.java:51)
>         at org.apache.hadoop.hbase.security.User$SecureHadoopUser.runAs(User.java:444)
>         at org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.setupIOstreams(SecureClient.java:298)
>         at org.apache.hadoop.hbase.ipc.HBaseClient.getConnection(HBaseClient.java:1124)
>         at org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:974)
>         at org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:104)
>         at $Proxy5.getProtocolVersion(Unknown Source)
>         at org.apache.hadoop.hbase.ipc.SecureRpcEngine.getProxy(SecureRpcEngine.java:146)
>         at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getMaster(HConnectionManager.java:711)
>         at org.apache.hadoop.hbase.client.HBaseAdmin.<init>(HBaseAdmin.java:116)
>         at org.apache.hadoop.hbase.rest.RESTServlet.<init>(RESTServlet.java:74)
>         at org.apache.hadoop.hbase.rest.RESTServlet.getInstance(RESTServlet.java:57)
>         at org.apache.hadoop.hbase.rest.Main.main(Main.java:81)
> Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
>         at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
>         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
>         at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
>         at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
>         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
>         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
>         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira