hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "liyunzhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6676) KMS throws AuthenticationException when enabling kerberos authentication
Date Mon, 21 Jul 2014 08:22:39 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14068314#comment-14068314
] 

liyunzhang commented on HDFS-6676:
----------------------------------

you can enable kerberos http spnego authentication of KMS in following steps
1.config kdc server successfully
2.generate keberos ticket in client
ex.kinit HTTP/liyunzhangcentos.sh.intel.com@SH.INTEL.COM -kt /home/zly/http.keytab 
3.edit kms-site.xml, edit following property item
<property>
<name>hadoop.kms.authentication.type</name>
<value>kerberos</value>
<description>
 simple or kerberos
</description>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.keytab</name>
<value>/home/zly/hadoop-3.0.0-SNAPSHOT/etc/hadoop/kerberos/HTTP.keytab</value>
<description>
</description>
</property>   
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>HTTP/liyunzhangcentos.sh.intel.com@SH.INTEL.COM</value>
<description>
</description>
</property>
4.start kms server
5.use curl to test kms functions like create key
ex:#curl -i --negotiate -u: -X POST -d @createkey.json http://liyunzhangcentos.sh.intel.com:16000/kms/v1/keys
--header "Content-Type:application/json"
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly
Content-Type: text/html;charset=utf-8
Content-Length: 997
Date: Mon, 21 Jul 2014 06:27:59 GMT
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Set-Cookie: hadoop.auth=u=HTTP&p=HTTP/liyunzhangcentos.sh.intel.com@SH.INTEL.COM&t=kerberos&e=1405960084208&s=UgeM6AwoHo46HDntyVXB/OLK6u8=;
Expires=Mon, 21-Jul-2014 16:28:04 GMT; HttpOnly
Location: http://liyunzhangcentos.sh.intel.com:16000/kms/v1/keys/v1/key/k1
Content-Type: application/json
Content-Length: 55
Date: Mon, 21 Jul 2014 06:28:33 GMT
Res {"versionName" : "k1@0",
  "material" : "12345w=="
} 

> KMS throws AuthenticationException when enabling kerberos authentication 
> -------------------------------------------------------------------------
>
>                 Key: HDFS-6676
>                 URL: https://issues.apache.org/jira/browse/HDFS-6676
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.0
>            Reporter: liyunzhang
>            Priority: Minor
>
> When I made a request http://server-1941.novalocal:16000/kms/v1/names in firefox. (before,
i set configs in firefox according https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html),
following info was found in logs/kms.log.
> 2014-07-14 19:18:30,461 WARN  AuthenticationFilter - Authentication exception: GSSException:
Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype
DES CBC mode with CRC-32 but decryption key is of type NULL)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
Failure unspecified at GSS-API level (Mechanism levelis of type NULL)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:380)
> 	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:357)
> 	at org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:100)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
> 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData
is encrypted using keytype DES CBC mode with CRC-32 but decryption key is of type NULL)
> 	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> 	at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
> 	at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:347)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329)
> 	... 14 more
> Caused by: KrbException: EncryptedData is encrypted using keytype DES CBC mode with CRC-32
but decryption key is of type NULL
> 	at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:169)
> 	at sun.security.krb5.KrbCred.<init>(KrbCred.java:131)
> 	at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:282)
> 	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:130)
> 	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
> 	... 25 more
> 	
> Kerberos is enabled successful in my environment:
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/server-1941.novalocal@NOVALOCAL
> Valid starting     Expires            Service principal
> 07/14/14 19:18:10  07/15/14 19:18:09  krbtgt/NOVALOCAL@NOVALOCAL
> 	renew until 07/14/14 19:18:10
> 07/14/14 19:18:30  07/15/14 19:18:09  HTTP/server-1941.novalocal@NOVALOCAL
> 	renew until 07/14/14 19:18:10
> Following are kdc configs:
> cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
>  default_realm = NOVALOCAL
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  udp_preference_limit = 1000000
>  default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>  default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>  permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>  allow_weak_crypto = true
> [realms]
>  NOVALOCAL = {
>   kdc = server-355:88
>   admin_server = server-355:749
>   default_domain=novalocal
>  }
> [domain_realm]
>  .novalocal = NOVALOCAL
>  novalocal = NOVALOCAL
> cat /var/kerberos/krb5kdc/kdc.conf
> [kdcdefaults]
> kdc_ports = 88
> kdc_tcp_ports = 88
>  
> [realms]
> NOVALOCAL = {
>   acl_file = /var/kerberos/krb5kdc/kadm5.acl
>   dict_file = /usr/share/dict/words
>   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>   master_key_type = des3-hmac-sha1
>   supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal
des:v4 des:norealm des:onlyrealm des:afs3
> }
>  
> I have updated my jdk to build 1.7.0_60-b19



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message