hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "zhouyingchao (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-11651) Handle kerberos authentication where there is no principal of HTTP/host@REALM
Date Sat, 28 Feb 2015 09:58:05 GMT
zhouyingchao created HADOOP-11651:
-------------------------------------

             Summary: Handle kerberos authentication where there is no principal of HTTP/host@REALM
                 Key: HADOOP-11651
                 URL: https://issues.apache.org/jira/browse/HADOOP-11651
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.6.0
            Reporter: zhouyingchao
            Assignee: zhouyingchao


In a testing cluster, the HTTP service principal is just HTTP/hdtst@REALM rather than HTTP/hostname@REALM.
In this case, the following exception is thrown on active HDFS namenode when bootstrap the
standy HDFS namenode:

2015-02-28,16:08:44,106 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter:
Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos Key)
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No
valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:412)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1224)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
....
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos Key)
        at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:95)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
        at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
        at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
        at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
        at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
        at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
        at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:363)
...

We think our configuration is a valid use case and we should fix the issue. The attached patch
has been tested and it works fine on our testing cluster.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message