Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 90FB7183A9 for ; Wed, 14 Oct 2015 19:23:28 +0000 (UTC) Received: (qmail 26980 invoked by uid 500); 14 Oct 2015 19:23:06 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 26940 invoked by uid 500); 14 Oct 2015 19:23:06 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 26879 invoked by uid 99); 14 Oct 2015 19:23:06 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Oct 2015 19:23:06 +0000 Date: Wed, 14 Oct 2015 19:23:06 +0000 (UTC) From: "Devaraj Das (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-14605) Split fails due to 'No valid credentials' error when SecureBulkLoadEndpoint#start tries to access hdfs MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-14605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14957568#comment-14957568 ] Devaraj Das commented on HBASE-14605: ------------------------------------- Yeah [~jinghe] this is a regression introduced by HBASE-14475... The patch 14605-v1.txt that Ted uploaded is based on the premise that the coprocessors' initialization happens as the user RegionServer runs as. This should be fine in any case (it was already implicitly happening as the Regionserver user; this patch makes it explicit)... One issue that still remains is that if the split-request/compaction-request implementation changes in the future where, for example, some HDFS operations are done synchronously (not suggesting this though), then the patch in HBASE-14475 will cause issues since the HDFS operations to do with splitting will happen as the end-user instead of the RegionServer user... But I guess, we can tackle those issues as and when they show up. > Split fails due to 'No valid credentials' error when SecureBulkLoadEndpoint#start tries to access hdfs > ------------------------------------------------------------------------------------------------------ > > Key: HBASE-14605 > URL: https://issues.apache.org/jira/browse/HBASE-14605 > Project: HBase > Issue Type: Bug > Reporter: Ted Yu > Assignee: Ted Yu > Attachments: 14605-v1.txt, 14605.alt > > > During recent testing in secure cluster (with HBASE-14475), we found the following when user X (non-super user) split a table with region replica: > {code} > 2015-10-12 10:58:18,955 ERROR [FifoRpcScheduler.handler1-thread-9] master.HMaster: Region server hbase-4-4.novalocal,60020,1444645588137 reported a fatal error: > ABORTING region server hbase-4-4.novalocal,60020,1444645588137: The coprocessor org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint threw an unexpected exception > Cause: > java.lang.IllegalStateException: Failed to get FileSystem instance > at org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint.start(SecureBulkLoadEndpoint.java:148) > at org.apache.hadoop.hbase.coprocessor.CoprocessorHost$Environment.startup(CoprocessorHost.java:415) > at org.apache.hadoop.hbase.coprocessor.CoprocessorHost.loadInstance(CoprocessorHost.java:257) > at org.apache.hadoop.hbase.coprocessor.CoprocessorHost.loadSystemCoprocessors(CoprocessorHost.java:160) > at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.(RegionCoprocessorHost.java:192) > at org.apache.hadoop.hbase.regionserver.HRegion.(HRegion.java:701) > at org.apache.hadoop.hbase.regionserver.HRegion.(HRegion.java:608) > ... > Caused by: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "hbase-4-4/172.22.66.186"; destination host is: "os-r6- okarus-hbase-4-2.novalocal":8020; > at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:772) > at org.apache.hadoop.ipc.Client.call(Client.java:1473) > at org.apache.hadoop.ipc.Client.call(Client.java:1400) > at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:232) > at com.sun.proxy.$Proxy18.mkdirs(Unknown Source) > at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.mkdirs(ClientNamenodeProtocolTranslatorPB.java:555) > at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:187) > at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102) > at com.sun.proxy.$Proxy19.mkdirs(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.primitiveMkdir(DFSClient.java:2775) > at org.apache.hadoop.hdfs.DFSClient.mkdirs(DFSClient.java:2746) > at org.apache.hadoop.hdfs.DistributedFileSystem$19.doCall(DistributedFileSystem.java:967) > at org.apache.hadoop.hdfs.DistributedFileSystem$19.doCall(DistributedFileSystem.java:963) > at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > {code} > The cause was that SecureBulkLoadEndpoint#start tried to create staging dir in hdfs as user X but didn't pass authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)