hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaoyu Yao (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13890) Maintain HTTP/host as SPNEGO SPN support and fix KerberosName parsing
Date Wed, 14 Dec 2016 21:39:58 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Xiaoyu Yao updated HADOOP-13890:
--------------------------------
    Description: 
HADOOP-13566 introduced an incompatible check that disallowed principal like HTTP/host from
being used as SPNEGO SPN. 
This breaks the following test in trunk: TestWebDelegationToken, TestKMS , TestTrashWithSecureEncryptionZones
and TestSecureEncryptionZoneWithKMS because they used HTTP/localhost as SPNEGO SPN assuming
the default realm. This ticket is opened to bring back the support of HTTP/host as valid SPNEGO
SPN. 

KerberosName parsing bug was discovered, fixed and included as a necessary part of this ticket
along with additional unit test to cover parsing different form of principals. 

 *Jenkins URL* 
https://builds.apache.org/job/hadoop-qbt-trunk-java8-linux-x86/251/testReport/
https://builds.apache.org/job/PreCommit-HADOOP-Build/11240/testReport/

  was:
TestWebDelegationToken, TestKMS , TestTrashWithSecureEncryptionZones and TestSecureEncryptionZoneWithKMS
started failing in trunk because the SPENGO principle used in these test are incomplete: HTTP/localhost
assuming the default realm will be applied at authentication time. This ticket is opened to
fix these unit test with complete HTTP principal.

{noformat}
org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.client.AuthenticationException:
Invalid SPNEGO sequence, status code: 403
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.readToken(KerberosAuthenticator.java:371)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.access$300(KerberosAuthenticator.java:53)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:317)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:287)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:287)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:298)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:170)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:373)
	at org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$5.call(TestWebDelegationToken.java:782)
	at org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$5.call(TestWebDelegationToken.java:779)
	at org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$4.run(TestWebDelegationToken.java:715)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.doAsKerberosUser(TestWebDelegationToken.java:712)
	at org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.testKerberosDelegationTokenAuthenticator(TestWebDelegationToken.java:778)
	at org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.testKerberosDelegationTokenAuthenticator(TestWebDelegationToken.java:729)
 {noformat}

 *Jenkins URL* 
https://builds.apache.org/job/hadoop-qbt-trunk-java8-linux-x86/251/testReport/
https://builds.apache.org/job/PreCommit-HADOOP-Build/11240/testReport/


> Maintain HTTP/host as SPNEGO SPN support and fix KerberosName parsing 
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-13890
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13890
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: test
>            Reporter: Brahma Reddy Battula
>            Assignee: Xiaoyu Yao
>         Attachments: HADOOP-13890.00.patch, HADOOP-13890.01.patch, HADOOP-13890.02.patch,
HADOOP-13890.03.patch, HADOOP-13890.04.patch, HADOOP-13890.05.patch, test-failure.txt, test_failure_1.txt
>
>
> HADOOP-13566 introduced an incompatible check that disallowed principal like HTTP/host
from being used as SPNEGO SPN. 
> This breaks the following test in trunk: TestWebDelegationToken, TestKMS , TestTrashWithSecureEncryptionZones
and TestSecureEncryptionZoneWithKMS because they used HTTP/localhost as SPNEGO SPN assuming
the default realm. This ticket is opened to bring back the support of HTTP/host as valid SPNEGO
SPN. 
> KerberosName parsing bug was discovered, fixed and included as a necessary part of this
ticket along with additional unit test to cover parsing different form of principals. 
>  *Jenkins URL* 
> https://builds.apache.org/job/hadoop-qbt-trunk-java8-linux-x86/251/testReport/
> https://builds.apache.org/job/PreCommit-HADOOP-Build/11240/testReport/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message