hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7853) multiple javax security configurations cause conflicts
Date Wed, 23 Nov 2011 17:31:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155977#comment-13155977
] 

Daryn Sharp commented on HADOOP-7853:
-------------------------------------

This was really "fun" to debug since it appears in specific cases.

The problem will cripple the JT's ability to accept incoming connections.  The JT will login
and acquire a kerberos ticket on startup.  When the ticket is about to expire, the JT will
logout & re-login to obtain a new ticket.  If the SPNEGO class has been loaded, the JT
will logout and appear to re-login successfully.  Unfortunately the UGI's Subject will only
contain unix credentials, but no kerberos ticket.  This is due to SPNEGO optionally requiring
kerberos and not including the crucial HadoopLoginModule.

SPNEGO is unexpectedly loaded even if webhdfs is disabled.  What happens is that the token
renewer service typically does not have to traverse into the webhdfs class to find a renewer.
 We detected the problem when Oozie submitted a job with a hive token with a job.  The service
loader walked all the renewer classes.  When webhdfs was loaded it triggered the loading of
SPNEGO which stomped the security configuration.  At this point the JT refuses incoming connections.
                
> multiple javax security configurations cause conflicts
> ------------------------------------------------------
>
>                 Key: HADOOP-7853
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7853
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.20.205.1
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>
> Both UGI and the SPNEGO KerberosAuthenticator set the global javax security configuration.
 SPNEGO stomps on UGI's security config which leads to kerberos/SASL authentication errors.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message