hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6632) Support for using different Kerberos keys for different instances of Hadoop services
Date Sun, 14 Mar 2010 04:33:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12845021#action_12845021
] 

Kan Zhang commented on HADOOP-6632:
-----------------------------------

One error message we observed.

2010-03-03 07:33:50,542 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 
8020: readAndProcess threw exception javax.security.sasl.SaslException: GSS initia
te failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism
 level: Request is a replay (34))]. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified
at GSS-API level
(Mechanism level: Request is a replay (34))]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
        at org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:913)
        at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1071)
        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:459)
        at org.apache.hadoop.ipc.Server$Listener.run(Server.java:368)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is
a replay (34))
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
        ... 4 more
Caused by: KrbException: Request is a replay (34)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:299)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        ... 7 more

> Support for using different Kerberos keys for different instances of Hadoop services
> ------------------------------------------------------------------------------------
>
>                 Key: HADOOP-6632
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6632
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>
> We tested using the same Kerberos key for all datanodes in a HDFS cluster or the same
Kerberos key for all TaskTarckers in a MapRed cluster. But it doesn't work. The reason is
that when datanodes try to authenticate to the namenode all at once, the Kerberos authenticators
they send to the namenode may have the same timestamp and will be rejected as replay requests.
This JIRA makes it possible to use a unique key for each service instance.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message