You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Alejandro Abdelnur (JIRA)" <ji...@apache.org> on 2012/05/03 05:29:54 UTC

[jira] [Updated] (HADOOP-8346) Changes to support Kerberos with non Sun JVM (HADOOP-6941) broke SPNEGO

     [ https://issues.apache.org/jira/browse/HADOOP-8346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alejandro Abdelnur updated HADOOP-8346:
---------------------------------------

    Attachment: debugger.png

@Devaraj,

trunk, *KerberosAuthenticator* class, line 200. The *servicePrincipal* var is 'HTTP/localhost' and if you inspect the created GSSName object you'll find that internally it become 'HTTP/localhost/<CURRENTHOSTNAME>'. Attached you'll see a debug session of it.

To run the Kerberos testcases in hadoop-auth I do the following:

create a test.properties file in hadoop-auth/ with the following contents:


{code}
httpfs.authentication.type=kerberos
httpfs.authentication.kerberos.principal=HTTP/localhost@LOCALHOST
httpfs.authentication.kerberos.keytab=/Users/tucu/httpfs.keytab
{code}

assumes your realm is LOCALHOST, your SPNEGO principal for httpfs is HTTP/localhost and the keytab has that principal in it. also you have to kinit with a user. Then run

{code}
mvn test -PtestKerberos -Dtest=TestKerberosAuthenticator
{code}
                
> Changes to support Kerberos with non Sun JVM (HADOOP-6941) broke SPNEGO
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-8346
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8346
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0, 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Devaraj Das
>            Priority: Blocker
>             Fix For: 2.0.0
>
>         Attachments: debugger.png
>
>
> before HADOOP-6941 hadoop-auth testcases with Kerberos ON pass, *mvn test -PtestKerberos*
> after HADOOP-6941 the tests fail with the error below.
> Doing some IDE debugging I've found out that the changes in HADOOP-6941 are making the JVM Kerberos libraries to append an extra element to the kerberos principal of the server (on the client side when creating the token) so *HTTP/localhost* ends up being *HTTP/localhost/localhost*. Then, when contacting the KDC to get the granting ticket, the server principal is unknown.
> {code}
> testAuthenticationPost(org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator)  Time elapsed: 0.053 sec  <<< ERROR!
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:236)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:142)
> 	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
> 	at org.apache.hadoop.security.authentication.client.AuthenticatorTestCase._testAuthentication(AuthenticatorTestCase.java:124)
> 	at org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator$2.call(TestKerberosAuthenticator.java:77)
> 	at org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator$2.call(TestKerberosAuthenticator.java:74)
> 	at org.apache.hadoop.security.authentication.KerberosTestUtils$1.run(KerberosTestUtils.java:111)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:396)
> 	at org.apache.hadoop.security.authentication.KerberosTestUtils.doAs(KerberosTestUtils.java:108)
> 	at org.apache.hadoop.security.authentication.KerberosTestUtils.doAsClient(KerberosTestUtils.java:124)
> 	at org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator.testAuthenticationPost(TestKerberosAuthenticator.java:74)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at junit.framework.TestCase.runTest(TestCase.java:168)
> 	at junit.framework.TestCase.runBare(TestCase.java:134)
> 	at junit.framework.TestResult$1.protect(TestResult.java:110)
> 	at junit.framework.TestResult.runProtected(TestResult.java:128)
> 	at junit.framework.TestResult.run(TestResult.java:113)
> 	at junit.framework.TestCase.run(TestCase.java:124)
> 	at junit.framework.TestSuite.runTest(TestSuite.java:243)
> 	at junit.framework.TestSuite.run(TestSuite.java:238)
> 	at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:83)
> 	at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:236)
> 	at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:134)
> 	at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:113)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
> 	at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
> 	at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
> 	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:103)
> 	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:74)
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:215)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:191)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:396)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:191)
> 	... 36 more
> Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
> 	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
> 	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
> 	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:575)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
> 	... 43 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
> 	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
> 	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira