falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Balu Vellanki (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-954) Secure Kerberos setup : Falcon should periodically revalidate auth token.
Date Mon, 13 Apr 2015 21:42:12 GMT

    [ https://issues.apache.org/jira/browse/FALCON-954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14493149#comment-14493149
] 

Balu Vellanki commented on FALCON-954:
--------------------------------------

[~sriksun] - There is an existing property falcon.http.authentication.token.validity that
I see in security.twiki and in src/conf/startup.properties. What is this property used for?
I do not see a reference to this property in the code.  This property value is in seconds.
 I have seen similar *.authentication.token.validity for oozie and hadoop with value in seconds.
 Should I update the patch to expect falcon.service.authentication.token.validity in seconds?


Regd the Alert function, I agree with you and I will write a new alert as follows 
{code}
    @Monitored(event = "init-kerberos-failed")
    public static String initializeKerberosFailed(
            @Dimension(value = "message") String message,
            @Dimension(value = "exception") Throwable throwable) {
        return "IGNORE";
    }
{code}

Please let me know your thoughts. 

> Secure Kerberos setup : Falcon should periodically revalidate auth token.
> -------------------------------------------------------------------------
>
>                 Key: FALCON-954
>                 URL: https://issues.apache.org/jira/browse/FALCON-954
>             Project: Falcon
>          Issue Type: Bug
>    Affects Versions: 0.6
>            Reporter: Balu Vellanki
>            Assignee: Balu Vellanki
>            Priority: Critical
>             Fix For: 0.7
>
>         Attachments: FALCON-954.patch
>
>
> If the credentials are not validated regularly, entity actions like schedule, update
and delete will fail with the following exception.
> {code}
> org.apache.falcon.FalconException: AUTHENTICATION : AUTHENTICATION : java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.falcon.workflow.engine.OozieWorkflowEngine.getJobDetails(OozieWorkflowEngine.java:1328)
> 	at org.apache.falcon.service.FalconTopicSubscriber.onMessage(FalconTopicSubscriber.java:100)
> 	at org.apache.activemq.ActiveMQMessageConsumer.dispatch(ActiveMQMessageConsumer.java:1229)
> 	at org.apache.activemq.ActiveMQSessionExecutor.dispatch(ActiveMQSessionExecutor.java:134)
> 	at org.apache.activemq.ActiveMQSessionExecutor.iterate(ActiveMQSessionExecutor.java:205)
> 	at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:122)
> 	at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:43)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 	at java.lang.Thread.run(Thread.java:744)
> Caused by: AUTHENTICATION : AUTHENTICATION : java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:306)
> 	at org.apache.falcon.workflow.engine.OozieWorkflowEngine.getJobDetails(OozieWorkflowEngine.java:1317)
> 	... 9 more
> Caused by: AUTHENTICATION : java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:321)
> 	at org.apache.oozie.client.OozieClient.getJobInfo(OozieClient.java:780)
> 	at org.apache.oozie.client.ProxyOozieClient.access$1201(ProxyOozieClient.java:48)
> 	at org.apache.oozie.client.ProxyOozieClient$12.call(ProxyOozieClient.java:302)
> 	at org.apache.oozie.client.ProxyOozieClient$12.call(ProxyOozieClient.java:299)
> 	at org.apache.oozie.client.OozieClient.doAs(OozieClient.java:191)
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:299)
> 	... 10 more
> Caused by: java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1609)
> 	at org.apache.oozie.client.ProxyOozieClient.createConnection(ProxyOozieClient.java:87)
> 	at org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:478)
> 	at org.apache.oozie.client.OozieClient.getJobInfo(OozieClient.java:802)
> 	at org.apache.oozie.client.ProxyOozieClient.access$1301(ProxyOozieClient.java:48)
> 	at org.apache.oozie.client.ProxyOozieClient$13.call(ProxyOozieClient.java:317)
> 	at org.apache.oozie.client.ProxyOozieClient$13.call(ProxyOozieClient.java:314)
> 	at org.apache.oozie.client.OozieClient.doAs(OozieClient.java:191)
> 	at org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:314)
> 	... 16 more
> Caused by: AUTHENTICATION : Could not authenticate, GSSException: No valid credentials
provided (Mechanism level: Failed to find any Kerberos tgt)
> 	at org.apache.oozie.client.AuthOozieClient.createTokenBasedAuthConnection(AuthOozieClient.java:156)
> 	at org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:209)
> 	at org.apache.oozie.client.ProxyOozieClient.access$001(ProxyOozieClient.java:48)
> 	at org.apache.oozie.client.ProxyOozieClient$1.run(ProxyOozieClient.java:89)
> 	at org.apache.oozie.client.ProxyOozieClient$1.run(ProxyOozieClient.java:87)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1594)
> 	... 24 more
> Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196)
> 	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232)
> 	at org.apache.oozie.client.AuthOozieClient.createTokenBasedAuthConnection(AuthOozieClient.java:148)
> 	... 31 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
> 	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
> 	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
> 	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
> 	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:261)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:261)
> 	... 34 more
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message