hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7853) multiple javax security configurations cause conflicts
Date Wed, 23 Nov 2011 20:55:40 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156270#comment-13156270

Daryn Sharp commented on HADOOP-7853:

bq. BTW, Nice hunting job.

Thanks!  You don't want to know how long this took to track this down.  The problem manifested
on only one grid, and it took 20-24 hours for the problem to show up.  It was only this week
that we made the association with hive and could reproduce the problem.

bq. What I'm failing to understand is why a submission to Oozie made JT to fail?

Sorry for the confusion.  Technically it had nothing to do with oozie; the oozie job happened
to contain a hive token.  The hive token triggered the bug, but is not responsible for the

Normally the token renewer service loader won't go past the hdfs, hftp, or mr renewers.  The
hive token caused it to load all of the renewer classes.  The renewer classes are nested classes
within the class that creates the token.  The webhdfs class stomped on the config when activated
by the service loader.

bq. Also, in the UGI, the Hadoop kerberos configuration has renewTGT set to true, why does
UGI then need to have a thread for renewal (in spawnAutoRenewalThreadForUserCreds method)?
Why even has to use kinit? What am I missing here?

I wondered about that too, but it was out of scope for this show stopping bug.  Our env is
using keytabs so it would have only been a distraction.  It might deserve another jira.
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>                 Key: HADOOP-7853
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7853
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions:, 0.23.0, 0.24.0, 0.23.1
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-7853-1.patch, HADOOP-7853.patch
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration.
 SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message