hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "zhouyingchao (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-11651) Handle kerberos authentication where there is no principal of HTTP/host@REALM
Date Sat, 28 Feb 2015 10:00:15 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-11651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

zhouyingchao updated HADOOP-11651:
----------------------------------
    Status: Patch Available  (was: Open)

> Handle kerberos authentication where there is no principal of HTTP/host@REALM
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-11651
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11651
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: zhouyingchao
>            Assignee: zhouyingchao
>         Attachments: HADOOP-11651-001.patch
>
>
> In a testing cluster, the HTTP service principal is just HTTP/hdtst@REALM rather than
HTTP/hostname@REALM. In this case, the following exception is thrown on active HDFS namenode
when bootstrap the standy HDFS namenode:
> 2015-02-28,16:08:44,106 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter:
Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos Key)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:412)
>         at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
>         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
>         at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1224)
>         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
>         at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
>         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
>         at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
> ....
> Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos Key)
>         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:95)
>         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
>         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
>         at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
>         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
>         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
>         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
>         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:363)
> ...
> We think our configuration is a valid use case and we should fix the issue. The attached
patch has been tested and it works fine on our testing cluster.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message