hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13255) KMSClientProvider should check and renew tgt when doing delegation token operations.
Date Thu, 16 Jun 2016 23:50:05 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Xiao Chen updated HADOOP-13255:
-------------------------------
    Attachment: HADOOP-13255.branch-2.patch

Thanks [~xyao].
I tried with the directory based minikdc, even if I set the {{MIN_TICKET_LIFETIME}}, it ends
up with this error if max lifetime is less than 6 mins, which I think is what Zhe met in HADOOP-12559.
{noformat}
java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Requested start time is later
than end time (11) - Requested start time is later than end time)

	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:554)
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.getKeys(KMSClientProvider.java:659)
	at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$7.call(LoadBalancingKMSClientProvider.java:235)
	at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$7.call(LoadBalancingKMSClientProvider.java:232)
	at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94)
	at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.getKeys(LoadBalancingKMSClientProvider.java:232)
	at org.apache.hadoop.crypto.key.kms.server.TestKMS$17$1.run(TestKMS.java:2097)
	at org.apache.hadoop.crypto.key.kms.server.TestKMS$17$1.run(TestKMS.java:2091)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1744)
	at org.apache.hadoop.crypto.key.kms.server.TestKMS$17.call(TestKMS.java:2091)
	at org.apache.hadoop.crypto.key.kms.server.TestKMS$17.call(TestKMS.java:2081)
	at org.apache.hadoop.crypto.key.kms.server.TestKMS.runServer(TestKMS.java:141)
	at org.apache.hadoop.crypto.key.kms.server.TestKMS.runServer(TestKMS.java:123)
	at org.apache.hadoop.crypto.key.kms.server.TestKMS.testTGTRenewal(TestKMS.java:2081)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.internal.runners.statements.FailOnTimeout$StatementThread.run(FailOnTimeout.java:74)
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
No valid credentials provided (Mechanism level: Requested start time is later than end time
(11) - Requested start time is later than end time)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:333)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:203)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:149)
	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:322)
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:545)
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:540)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1744)
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:540)
	... 26 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Requested start time
is later than end time (11) - Requested start time is later than end time)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:309)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:285)
	... 36 more
Caused by: KrbException: Requested start time is later than end time (11) - Requested start
time is later than end time
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:309)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:454)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
	... 43 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
	... 49 more
{noformat}

So I think we need to go without the test in branch-2. Attached a patch based on latest branch-2.

> KMSClientProvider should check and renew tgt when doing delegation token operations.
> ------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13255
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13255
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13255.01.patch, HADOOP-13255.02.patch, HADOOP-13255.03.patch,
HADOOP-13255.04.patch, HADOOP-13255.05.patch, HADOOP-13255.branch-2.patch, HADOOP-13255.test.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message