hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "zhangduo (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12953) RegionServer is not functionally working with AysncRpcClient in secure mode
Date Sun, 15 Feb 2015 12:06:12 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14321957#comment-14321957
] 

zhangduo commented on HBASE-12953:
----------------------------------

I found the problem. We need to use Subject.doAs when calling evaluateChallenge in SaslClientHandler.
Now we only use Subject.doAs when creating SaslClientHandler.

But we need to send more packets when setup sasl connections so the problem described in HBASE-13011
is more serious. So without HBASE-13011 the testcase still can not pass(a user call is sent
before we finish sasl setup, so SaslServer fails because it has received a wrong response).

I can post the patch here, but I think we need to let HBASE-13011 go first. [~stack] [~jurmous]

Thank~

> RegionServer is not functionally working with AysncRpcClient in secure mode
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-12953
>                 URL: https://issues.apache.org/jira/browse/HBASE-12953
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0, 1.1.0
>            Reporter: Ashish Singhi
>            Assignee: stack
>            Priority: Critical
>         Attachments: testcase.patch
>
>
> HBase version 2.0.0
> Default value for {{hbase.rpc.client.impl}} is set to AsyncRpcClient.
> When trying to install HBase with Kerberos, RegionServer is not working functionally.
> The following log is logged in its log file
> {noformat}
> 2015-02-02 14:59:05,407 WARN  [AsyncRpcChannel-pool1-t1] channel.DefaultChannelPipeline:
An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually
means the last handler in the pipeline did not handle the exception.
> io.netty.channel.ChannelPipelineException: org.apache.hadoop.hbase.security.SaslClientHandler.handlerAdded()
has thrown an exception; removed.
> 	at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:499)
> 	at io.netty.channel.DefaultChannelPipeline.callHandlerAdded(DefaultChannelPipeline.java:481)
> 	at io.netty.channel.DefaultChannelPipeline.addFirst0(DefaultChannelPipeline.java:114)
> 	at io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:97)
> 	at io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:235)
> 	at io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:214)
> 	at org.apache.hadoop.hbase.ipc.AsyncRpcChannel$2.operationComplete(AsyncRpcChannel.java:194)
> 	at org.apache.hadoop.hbase.ipc.AsyncRpcChannel$2.operationComplete(AsyncRpcChannel.java:157)
> 	at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:680)
> 	at io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:603)
> 	at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:563)
> 	at io.netty.util.concurrent.DefaultPromise.trySuccess(DefaultPromise.java:406)
> 	at io.netty.channel.DefaultChannelPromise.trySuccess(DefaultChannelPromise.java:82)
> 	at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:253)
> 	at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:288)
> 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:528)
> 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
> 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
> 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
> 	at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
> 	at org.apache.hadoop.hbase.security.SaslClientHandler.handlerAdded(SaslClientHandler.java:154)
> 	at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:486)
> 	... 20 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
> 	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
> 	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
> 	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
> 	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
> {noformat}
> When set hbase.rpc.client.impl to RpcClientImpl, there seems to be no issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message