hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "surendra singh lilhore (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11888) bootstrapStandby command broken in JDK1.8 with kerberos
Date Thu, 30 Apr 2015 05:44:08 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14520903#comment-14520903
] 

surendra singh lilhore commented on HADOOP-11888:
-------------------------------------------------

This issue we got in java 1.8 but same is working in java 1.7.

This log is from kerberos server 

{code}
Apr 27 12:43:31 host-10-19-92-127 krb5kdc[9733](info): TGS_REQ (3 etypes {16 23 18}) 1.2.3.4:
UNKNOWN_SERVER: authtime 0,  dsperf/huawei@HADOOP.COM for HTTP/1.2.3.4@HADOOP.COM, Server
not found in Kerberos database
Apr 27 12:43:31 host-10-19-92-127 krb5kdc[9733](info): TGS_REQ (3 etypes {16 23 18}) 1.2.3.4:
UNKNOWN_SERVER: authtime 0,  dsperf/huawei@HADOOP.COM for HTTP/1.2.3.4@HADOOP.COM, Server
not found in Kerberos database
{code}

This problem is coming when standby namenode try to download fsimage from active namenode
in bootstrapStandby command. SN will send HTTP request to AN and AN try to authenticate request.

AN will create SN spnego principal through this logic.

{code}
  gssManager.createName(
                      KerberosUtil.getServicePrincipal("HTTP", serverName),
                      KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")),
{code}

But it’s not able to get hostname of SN, here *serverName* is IP of SN machine. Principal
should be like this *HTTP/hostname@HADOOP.COM*

It is blocked issue, updating the Severity.

Attached the patch, please review.


> bootstrapStandby command broken in JDK1.8 with kerberos
> -------------------------------------------------------
>
>                 Key: HADOOP-11888
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11888
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>         Environment: Suse 11 Sp3 
> java = 1.8.0_40
>            Reporter: Bibin A Chundatt
>            Assignee: surendra singh lilhore
>         Attachments: HADOOP-11888.patch
>
>
> bootstrapStandby is failing incase of JDK1.8 with kerberos
> ./hdfs namenode -bootstrapStandby
> {code}
> Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException:
org.apache.hadoop.security.authentication.client.AuthenticationException: Invalid SPNEGO sequence,
status code: 403
>         at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:335)
>         at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:206)
>         at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215)
>         at org.apache.hadoop.hdfs.web.URLConnectionFactory.openConnection(URLConnectionFactory.java:162)
>         at org.apache.hadoop.hdfs.server.namenode.TransferFsImage.doGetUrl(TransferFsImage.java:403)
>         ... 16 more
> Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException:
Invalid SPNEGO sequence, status code: 403
>         at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.readToken(KerberosAuthenticator.java:370)
>         at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.access$300(KerberosAuthenticator.java:55)
>         at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:320)
>         at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:288)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:415)
>         at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:288)
>         ... 20 more
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message