kylin-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ShaoFeng Shi <shaofeng...@apache.org>
Subject Re: Password decrypting and LDAP
Date Tue, 24 Jan 2017 13:43:37 GMT
okay, so it means the max. length Kylin supports is 15, right?

Berry, could you please report a JIRA to Kylin in
https://issues.apache.org/jira/secure/Dashboard.jspa?  We use JIRA to track
the issues; Thank you!

2017-01-24 20:57 GMT+08:00 Österlund Berry <berry.osterlund@scania.com>:

> Got the result
>
>
>
> java org.apache.kylin.rest.security.PasswordPlaceholderConfigurer AES
> 123456789012345
>
> AES encrypted password is:
>
> pLKuoHlKbRg+55tny8n2YA==
>
> If I put this string into ldap.password, Kylin starts up without errors (I
> can ofc not login, because the password is wrong.)
>
>
>
> java org.apache.kylin.rest.security.PasswordPlaceholderConfigurer AES
> 1234567890123456
>
> AES encrypted password is:
>
> RSvxLxIHAugtd/LBQFpGF+9fW0wb6YVnsEYgogo9w/w=
>
> If I put this string into ldap.password, Kylin failes to start with the
> error I posted previously
>
>
>
> //Berry
>
>
>
>
>
> *From:* Österlund Berry [mailto:berry.osterlund@scania.com]
> *Sent:* den 24 januari 2017 13:42
> *To:* user@kylin.apache.org
> *Subject:* RE: Password decrypting and LDAP
>
>
>
> Let me try different passwords, and different length and I’ll get back
> with the result.
>
>
>
> *From:* ShaoFeng Shi [mailto:shaofengshi@apache.org
> <shaofengshi@apache.org>]
> *Sent:* den 24 januari 2017 13:39
> *To:* user <user@kylin.apache.org>
> *Subject:* Re: Password decrypting and LDAP
>
>
>
> In your password is there some non-ascii character? I'm wondering what can
> cause its encrypted values be different with others; This post (
> https://stackoverflow.com/questions/17234359/javax-crypto-
> illegalblocksizeexception-input-length-must-be-multiple-of-16-whe)
> mentioned: "you are only able to encrypt data in blocks of 128 bits or 16
> bytes. That's why you are getting that IllegalBlockSizeException
>  exception."
>
>
>
> Besides, there should be a way to bypass this in Kylin; If you still don't
> have progress, we can try that.
>
>
>
> 2017-01-24 17:26 GMT+08:00 Österlund Berry <berry.osterlund@scania.com>:
>
> Hi
>
>
>
> I also tried (sorry for not writing that) to run with a correct JAVA_HOME,
> but it still picks the 1.8 version from HBase. I’m sure that I can force it
> to use 1.7, but I found another interesting thing that I look into now.
>
>
>
> If I use my own account and password as the serviceaccount for Kylin (my
> password is 9 chars long), I get passed that error. Now, I don’t have the
> correct permissions in the AD so I can’t use my account for that. But it’s
> interesting that it looks like it’s the password length that affects this.
> I have ordered a new account with a 15 char long password to test it out.
> Once I get it, I’ll update with more information.
>
>
>
> Best Regards
>
> Berry
>
>
>
> *From:* ShaoFeng Shi [mailto:shaofengshi@apache.org]
> *Sent:* den 24 januari 2017 09:47
> *To:* user <user@kylin.apache.org>
> *Subject:* Re: Password decrypting and LDAP
>
>
>
> Hi Berry,
>
>
>
> Did you try to start Kylin with java 1.7? Yes by default Kylin uses the
> HBase's java to startup; You can add "export JAVA_HOME=
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2.x86_64/" in
> $KYLIN_HOME/bin/setenv.sh, and then HBase should use the specifiied java.
>
>
>
> We use SUN JDK in most environments, not get much feedback on OpenJDK 1.8;
> For the ClassNotFound exception, do you have the detail stacktrace?
>
>
>
> 2017-01-24 14:38 GMT+08:00 Österlund Berry <berry.osterlund@scania.com>:
>
> Hello
>
>
>
> I’m trying to connect out Kylin installation to an LDAP server, as we are
> required to have that before we put any solution into production. But I’m
> facing a problem. When I start Kylin, this is what I get in the log.
>
>
>
> 2017-01-24 07:12:06,110 WARN  [localhost-startStop-1] support.XmlWebApplicationContext:487
> : Exception encountered during context initialization - cancelling refresh
> attempt: org.springframework.beans.factory.BeanDefinitionStoreException:
> Invalid bean definition with name 'ldapSource' defined in class path
> resource [kylinSecurity.xml]: Input length must be multiple of 16 when
> decrypting with padded cipher; nested exception is
> java.lang.RuntimeException: Input length must be multiple of 16 when
> decrypting with padded cipher
>
> 2017-01-24 07:12:06,111 ERROR [localhost-startStop-1]
> context.ContextLoader:331 : Context initialization failed
>
> org.springframework.beans.factory.BeanDefinitionStoreException: Invalid
> bean definition with name 'ldapSource' defined in class path resource
> [kylinSecurity.xml]: Input length must be multiple of 16 when decrypting
> with padded cipher; nested exception is java.lang.RuntimeException: Input
> length must be multiple of 16 when decrypting with padded cipher
>
>         at org.springframework.beans.factory.config.
> PlaceholderConfigurerSupport.doProcessProperties(
> PlaceholderConfigurerSupport.java:209)
>
>         at org.springframework.beans.factory.config.
> PropertyPlaceholderConfigurer.processProperties(
> PropertyPlaceholderConfigurer.java:222)
>
>         at org.springframework.beans.factory.config.
> PropertyResourceConfigurer.postProcessBeanFactory(
> PropertyResourceConfigurer.java:84)
>
>         at org.springframework.context.support.AbstractApplicationContext.
> invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:699)
>
>         at org.springframework.context.support.AbstractApplicationContext.
> invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:674)
>
>         at org.springframework.context.support.AbstractApplicationContext.
> refresh(AbstractApplicationContext.java:461)
>
>         at org.springframework.web.context.ContextLoader.
> configureAndRefreshWebApplicationContext(ContextLoader.java:410)
>
>         at org.springframework.web.context.ContextLoader.
> initWebApplicationContext(ContextLoader.java:306)
>
>         at org.springframework.web.context.ContextLoaderListener.
> contextInitialized(ContextLoaderListener.java:112)
>
>         at org.apache.catalina.core.StandardContext.listenerStart(
> StandardContext.java:5068)
>
>         at org.apache.catalina.core.StandardContext.startInternal(
> StandardContext.java:5584)
>
>         at org.apache.catalina.util.LifecycleBase.start(
> LifecycleBase.java:147)
>
>         at org.apache.catalina.core.ContainerBase.addChildInternal(
> ContainerBase.java:899)
>
>         at org.apache.catalina.core.ContainerBase.addChild(
> ContainerBase.java:875)
>
>         at org.apache.catalina.core.StandardHost.addChild(
> StandardHost.java:652)
>
>         at org.apache.catalina.startup.HostConfig.deployWAR(
> HostConfig.java:1092)
>
>         at org.apache.catalina.startup.HostConfig$DeployWar.run(
> HostConfig.java:1984)
>
>         at java.util.concurrent.Executors$RunnableAdapter.
> call(Executors.java:511)
>
>         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
>
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
>
>         at java.lang.Thread.run(Thread.java:745)
>
> Caused by: java.lang.RuntimeException: Input length must be multiple of 16
> when decrypting with padded cipher
>
>         at org.apache.kylin.rest.security.PasswordPlaceholderConfigurer.
> decrypt(PasswordPlaceholderConfigurer.java:84)
>
>         at org.apache.kylin.rest.security.PasswordPlaceholderConfigurer.
> resolvePlaceholder(PasswordPlaceholderConfigurer.java:90)
>
>         at org.springframework.beans.factory.config.
> PropertyPlaceholderConfigurer.resolvePlaceholder(
> PropertyPlaceholderConfigurer.java:162)
>
>         at org.springframework.beans.factory.config.
> PropertyPlaceholderConfigurer$PropertyPlaceholderConfigurerR
> esolver.resolvePlaceholder(PropertyPlaceholderConfigurer.java:272)
>
>         at org.springframework.util.PropertyPlaceholderHelper.
> parseStringValue(PropertyPlaceholderHelper.java:146)
>
>         at org.springframework.util.PropertyPlaceholderHelper.
> replacePlaceholders(PropertyPlaceholderHelper.java:125)
>
>         at org.springframework.beans.factory.config.
> PropertyPlaceholderConfigurer$PlaceholderResolvingStringValu
> eResolver.resolveStringValue(PropertyPlaceholderConfigurer.java:257)
>
>         at org.springframework.beans.factory.config.BeanDefinitionVisitor.
> resolveStringValue(BeanDefinitionVisitor.java:282)
>
>         at org.springframework.beans.factory.config.BeanDefinitionVisitor.
> resolveValue(BeanDefinitionVisitor.java:204)
>
>         at org.springframework.beans.factory.config.BeanDefinitionVisitor.
> visitPropertyValues(BeanDefinitionVisitor.java:141)
>
>         at org.springframework.beans.factory.config.BeanDefinitionVisitor.
> visitBeanDefinition(BeanDefinitionVisitor.java:82)
>
>         at org.springframework.beans.factory.config.
> PlaceholderConfigurerSupport.doProcessProperties(
> PlaceholderConfigurerSupport.java:206)
>
>         ... 21 more
>
> Caused by: javax.crypto.IllegalBlockSizeException: Input length must be
> multiple of 16 when decrypting with padded cipher
>
>         at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:934)
>
>         at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:845)
>
>         at com.sun.crypto.provider.AESCipher.engineDoFinal(
> AESCipher.java:446)
>
>        at javax.crypto.Cipher.doFinal(Cipher.java:2165)
>
>         at org.apache.kylin.rest.security.PasswordPlaceholderConfigurer.
> decrypt(PasswordPlaceholderConfigurer.java:81)
>
>
>
>
>
>
>
> This is the ldap part of the configuration file
>
> ldap.server=ldap://<FULL HOSTNAME>:389
>
> ldap.username=<FULL DN TO USER>
>
> ldap.password=70tIoIdndG4eYPU5XWsqxNZZ9VlKAwKj19JR6vfEphw=
>
>
>
> # LDAP user account directory;
>
> ldap.user.searchBase=<VALID DN>
>
> ldap.user.searchPattern=(memberOf=<VALID GROUP>)
>
> ldap.user.groupSearchBase=<GROUP SEARCH BASE>
>
>
>
> All parameters are used in other LDAP integrations (Like SSSD, Ambari,
> Ranger, Atlas….) so I know that those are right. I got the hashed password
> by running this command. By the way, the org.apache.kylin.rest.security.PasswordPlaceholderConfigurer
> class gets classNotFound exception if I run it with Java 1.8. Just so you
> know…. 1.7 works better
>
>
>
> cd /opt/kylin-1.6.0/tomcat/webapps/kylin/WEB-INF/lib
>
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2.x86_64/bin/java
> -classpath kylin-server-base-1.6.0.jar:spring-beans-3.2.17.RELEASE.
> jar:spring-core-3.2.17.RELEASE.jar:commons-codec-1.7.jar
> org.apache.kylin.rest.security.PasswordPlaceholderConfigurer AES
> <PASSWORD 18 CHARS LONG>
>
>
>
> If I understand everything correctly, Kylin is executed with the Java
> versions that HBase is running. And the version I have is 1.8.0_112
>
> Can anybody give me some info on how to solve this problem? I really like
> to install Kylin on our production servers so I can play with real data
>
>
>
> Best Regards
>
> Berry Österlund
>
> Sweden
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Best regards,
>
>
>
> Shaofeng Shi 史少锋
>
>
>
>
>
>
>
> --
>
> Best regards,
>
>
>
> Shaofeng Shi 史少锋
>
>
>



-- 
Best regards,

Shaofeng Shi 史少锋

Mime
View raw message