Return-Path: <common-issues-return-131482-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 72C29200C61
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 25 Apr 2017 13:32:15 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 71211160BB3; Tue, 25 Apr 2017 11:32:15 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 9162B160B9E
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 25 Apr 2017 13:32:14 +0200 (CEST)
Received: (qmail 25883 invoked by uid 500); 25 Apr 2017 11:32:09 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 25872 invoked by uid 99); 25 Apr 2017 11:32:09 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Apr 2017 11:32:09 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 99F25D0E49
	for <common-issues@hadoop.apache.org>; Tue, 25 Apr 2017 11:32:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id wqdgh1ubkOFT for <common-issues@hadoop.apache.org>;
	Tue, 25 Apr 2017 11:32:06 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id B3BD260CEB
	for <common-issues@hadoop.apache.org>; Tue, 25 Apr 2017 11:32:05 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id D5FF6E0C0F
	for <common-issues@hadoop.apache.org>; Tue, 25 Apr 2017 11:32:04 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5CA4321B5C
	for <common-issues@hadoop.apache.org>; Tue, 25 Apr 2017 11:32:04 +0000 (UTC)
Date: Tue, 25 Apr 2017 11:32:04 +0000 (UTC)
From: "Steve Loughran (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.13066566.1493090758000.43444.1493119924377@Atlassian.JIRA>
In-Reply-To: <JIRA.13066566.1493090758000@Atlassian.JIRA>
References: <JIRA.13066566.1493090758000@Atlassian.JIRA> <JIRA.13066566.1493090758812@jira-lw-us.apache.org>
Subject: [jira] [Updated] (HADOOP-14350) Relative path for Kerberos keytab
 is not working on IBM JDK
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 25 Apr 2017 11:32:15 -0000


     [ https://issues.apache.org/jira/browse/HADOOP-14350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steve Loughran updated HADOOP-14350:
------------------------------------
    Priority: Major  (was: Blocker)

> Relative path for Kerberos keytab is not working on IBM JDK
> -----------------------------------------------------------
>
>                 Key: HADOOP-14350
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14350
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common, security
>    Affects Versions: 2.7.3
>            Reporter: Wen Yuan Chen
>
> For the sample code below:
> public class TestKrb {
>   public static void main(String[] args) throws IOException {
>     String user = args[0], path = args[1];
>     UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, path);
>     System.out.println("Login successfully");
>   }
> }
> When I use IBM JDK and pass a relative path for the Kerberos keytab, it will throw error messages.  According to the debug log, it always tries to read the keytab from the root path.  See the debug logs below:
> 2017-04-19 02:29:13,982 DEBUG [org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field org.apache.hadoop.metrics2.lib.MutableRate org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginSuccess with annotation @org.apache.hadoop.metrics2.annotation.Metric(about=, sampleName=Ops, always=false, type=DEFAULT, value=[Rate of successful kerberos logins and latency (milliseconds)], valueName=Time)
> 2017-04-19 02:29:13,990 DEBUG [org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field org.apache.hadoop.metrics2.lib.MutableRate org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginFailure with annotation @org.apache.hadoop.metrics2.annotation.Metric(about=, sampleName=Ops, always=false, type=DEFAULT, value=[Rate of failed kerberos logins and latency (milliseconds)], valueName=Time)
> 2017-04-19 02:29:13,991 DEBUG [org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field org.apache.hadoop.metrics2.lib.MutableRate org.apache.hadoop.security.UserGroupInformation$UgiMetrics.getGroups with annotation @org.apache.hadoop.metrics2.annotation.Metric(about=, sampleName=Ops, always=false, type=DEFAULT, value=[GetGroups], valueName=Time)
> 2017-04-19 02:29:13,992 DEBUG [org.apache.hadoop.metrics2.impl.MetricsSystemImpl] - UgiMetrics, User and group related metrics
> [KRB_DBG_CFG] Config:main:   Java config file: /opt/ibm/java/jre/lib/security/krb5.conf
> [KRB_DBG_CFG] Config:main:   Loaded from Java config
> 2017-04-19 02:29:14,175 DEBUG [org.apache.hadoop.security.Groups] -  Creating new Groups object
> 2017-04-19 02:29:14,178 DEBUG [org.apache.hadoop.util.NativeCodeLoader] - Trying to load the custom-built native-hadoop library...
> 2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] - Failed to load native-hadoop with error: java.lang.UnsatisfiedLinkError: hadoop (Not found in java.library.path)
> 2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] - java.library.path=/opt/ibm/java/jre/lib/amd64/compressedrefs:/opt/ibm/java/jre/lib/amd64:/usr/lib64:/usr/lib
> 2017-04-19 02:29:14,179 WARN [org.apache.hadoop.util.NativeCodeLoader] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
> 2017-04-19 02:29:14,180 DEBUG [org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Falling back to shell based
> 2017-04-19 02:29:14,180 DEBUG [org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Group mapping impl=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
> 2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.util.Shell] - setsid exited with exit code 0
> 2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.security.Groups] - Group mapping impl=org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback; cacheTimeout=300000; warningDeltaMs=5000
> IBMJGSSProvider Build-Level: -20161128
> [JGSS_DBG_CRED]  main JAAS config: principal=job/analytics
> [JGSS_DBG_CRED]  main JAAS config: credsType=initiate and accept
> [JGSS_DBG_CRED]  main config: useDefaultCcache=false
> [JGSS_DBG_CRED]  main config: useCcache=null
> [JGSS_DBG_CRED]  main config: useDefaultKeytab=false
> [JGSS_DBG_CRED]  main config: useKeytab=//job.keytab
> [JGSS_DBG_CRED]  main JAAS config: forwardable=false (default)
> [JGSS_DBG_CRED]  main JAAS config: renewable=false (default)
> [JGSS_DBG_CRED]  main JAAS config: proxiable=false (default)
> [JGSS_DBG_CRED]  main JAAS config: tryFirstPass=false (default)
> [JGSS_DBG_CRED]  main JAAS config: useFirstPass=false (default)
> [JGSS_DBG_CRED]  main JAAS config: moduleBanner=false (default)
> [JGSS_DBG_CRED]  main JAAS config: interactive login? no
> [JGSS_DBG_CRED]  main JAAS config: refreshKrb5Config = true
> [KRB_DBG_CFG] Config:main:   Java config file: /opt/ibm/java/jre/lib/security/krb5.conf
> [KRB_DBG_CFG] Config:main:   Loaded from Java config
> [KRB_DBG_KDC] KdcComm:main:   >>> KdcAccessibility: reset
> [KRB_DBG_KDC] KdcComm:main:   >>> KdcAccessibility: reset
> [JGSS_DBG_CRED]  main Try keytab for principal=job/analytics
> [KRB_DBG_KTAB] KeyTab:main:   >>> KeyTab: trying to load keytab file /job.keytab
> [KRB_DBG_KTAB] KeyTab:main:   >>> KeyTab: exception /job.keytab (No such file or directory)
> Key for the principal job/analytics@KDC.LON02.HADOOP not available in //job.keytab
> [KRB_DBG_CCHE] Credentials:main:   >>> Credentials: Created Credentials with 0 keys. Key types:
> [JGSS_DBG_CRED]  main Done retrieving Kerberos creds from keytab
> [JGSS_DBG_CRED]  main Retrieving Kerberos creds from cache for principal=job/analytics
> [JGSS_DBG_CRED]  main Non-interactive login; no callbacks necessary.
> [JGSS_DBG_CRED]  main No Kerberos creds in cache for principal job/analytics
> [JGSS_DBG_CRED]  main Doing Kerberos login for principal job/analytics@KDC.LON02.HADOOP
> 2017-04-19 02:29:14,381 DEBUG [org.apache.hadoop.security.UserGroupInformation] - hadoop login
> Exception in thread "main" java.io.IOException: Login failure for job/analytics from keytab job.keytab
> 	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1103)
> 	at com.TestKrb.main(TestKrb.java:10)
> Caused by: javax.security.auth.login.FailedLoginException: Null key
> 	at com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:1)
> 	at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:355)
> 	at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:515)
> 	at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:411)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> 	at java.lang.reflect.Method.invoke(Method.java:508)
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:788)
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:196)
> 	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
> 	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
> 	at java.security.AccessController.doPrivileged(AccessController.java:686)
> 	at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:719)
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:593)
> 	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1092)
> 	... 1 more
> In above log, the useKeytab=<value> entry is showing a <value> prefaced by a leading "//".  It appears that HADOOP is adjusting the user supplied keytab file and most likely prefacing it with something like "FILE://", which would cause the resulting IBM normalized value to then be prefaced by "//" before the user supplied keytab file.  This is the cause for why relative paths used with HADOOP are not working with IBM JVM's.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org