hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HBASE-11089) Use proxy user for security integration test where multiple users are needed
Date Mon, 28 Apr 2014 16:34:18 GMT

     [ https://issues.apache.org/jira/browse/HBASE-11089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrew Purtell resolved HBASE-11089.
------------------------------------

    Resolution: Duplicate

Dup of HBASE-10831, but let me carry this over there.

> Use proxy user for security integration test where multiple users are needed
> ----------------------------------------------------------------------------
>
>                 Key: HBASE-11089
>                 URL: https://issues.apache.org/jira/browse/HBASE-11089
>             Project: HBase
>          Issue Type: Task
>            Reporter: Ted Yu
>
> We have seen the following test failure:
> {code}
> 2014-02-06 02:58:25,315|beaver.machine|INFO|RUNNING: /usr/bin/kinit -c /grid/0/hadoopqe/artifacts/kerberosTickets/hbase.kerberos.ticket
-k -t /home/hrt_qa/hadoopqa/keytabs/hbase.headless.keytab hbase
> 2014-02-06 02:58:25,325|beaver.machine|INFO|RUNNING: /usr/lib/hbase/bin/hbase --config
/tmp/hbaseConf org.apache.hadoop.hbase.IntegrationTestsDriver -regex IntegrationTestIngestWithACL
> 2014-02-06 02:58:34,489|beaver.machine|INFO|2014-02-06 02:58:34,489 DEBUG HBaseWriterThreadWithACL_1
token.AuthenticationTokenSelector: No matching token found
> 2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,489 DEBUG HBaseWriterThreadWithACL_1
security.HBaseSaslRpcClient: Creating SASL GSSAPI client. Server's Kerberos principal name
is hbase/h2-ubuntu12-sec-1391405488-hbase-7.cs1cloud.internal@EXAMPLE.COM
> 2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,491 WARN HBaseWriterThreadWithACL_1
security.UserGroupInformation: PriviledgedActionException as:owner (auth:SIMPLE) cause:javax.security.sasl.SaslException:
GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
> 2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,492 WARN HBaseWriterThreadWithACL_1
ipc.RpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException:
GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
> 2014-02-06 02:58:34,498|beaver.machine|INFO|2014-02-06 02:58:34,493 FATAL HBaseWriterThreadWithACL_1
ipc.RpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials.
Consider 'kinit'.
> 2014-02-06 02:58:34,499|beaver.machine|INFO|javax.security.sasl.SaslException: GSS initiate
failed Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
> 2014-02-06 02:58:34,499|beaver.machine|INFO|at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
> 2014-02-06 02:58:34,499|beaver.machine|INFO|at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:152)
> 2014-02-06 02:58:34,500|beaver.machine|INFO|at org.apache.hadoop.hbase.ipc.RpcClient$Connection.setupSaslConnection(RpcClient.java:762)
> {code}
> The above test failure was due to the second user in the test not being able to authenticate
using kerberos.
> This can be solved using impersonation which is described here : http://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html
> The superuser needs to authenticate using kerberos. The superuser can impersonate any
member of the specified groups.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message