Got the result

 

java org.apache.kylin.rest.security.PasswordPlaceholderConfigurer AES 123456789012345

AES encrypted password is:

pLKuoHlKbRg+55tny8n2YA==

If I put this string into ldap.password, Kylin starts up without errors (I can ofc not login, because the password is wrong.)

 

java org.apache.kylin.rest.security.PasswordPlaceholderConfigurer AES 1234567890123456

AES encrypted password is:

RSvxLxIHAugtd/LBQFpGF+9fW0wb6YVnsEYgogo9w/w=

If I put this string into ldap.password, Kylin failes to start with the error I posted previously

 

//Berry

 

 

From: Österlund Berry [mailto:berry.osterlund@scania.com]
Sent: den 24 januari 2017 13:42
To: user@kylin.apache.org
Subject: RE: Password decrypting and LDAP

 

Let me try different passwords, and different length and I’ll get back with the result.

 

From: ShaoFeng Shi [mailto:shaofengshi@apache.org]
Sent: den 24 januari 2017 13:39
To: user <user@kylin.apache.org>
Subject: Re: Password decrypting and LDAP

 

In your password is there some non-ascii character? I'm wondering what can cause its encrypted values be different with others; This post (https://stackoverflow.com/questions/17234359/javax-crypto-illegalblocksizeexception-input-length-must-be-multiple-of-16-whe) mentioned: "you are only able to encrypt data in blocks of 128 bits or 16 bytes. That's why you are getting that IllegalBlockSizeException exception."

 

Besides, there should be a way to bypass this in Kylin; If you still don't have progress, we can try that. 

 

2017-01-24 17:26 GMT+08:00 Österlund Berry <berry.osterlund@scania.com>:

Hi

 

I also tried (sorry for not writing that) to run with a correct JAVA_HOME, but it still picks the 1.8 version from HBase. I’m sure that I can force it to use 1.7, but I found another interesting thing that I look into now.

 

If I use my own account and password as the serviceaccount for Kylin (my password is 9 chars long), I get passed that error. Now, I don’t have the correct permissions in the AD so I can’t use my account for that. But it’s interesting that it looks like it’s the password length that affects this. I have ordered a new account with a 15 char long password to test it out. Once I get it, I’ll update with more information.

 

Best Regards

Berry

 

From: ShaoFeng Shi [mailto:shaofengshi@apache.org]
Sent: den 24 januari 2017 09:47
To: user <user@kylin.apache.org>
Subject: Re: Password decrypting and LDAP

 

Hi Berry,

 

Did you try to start Kylin with java 1.7? Yes by default Kylin uses the HBase's java to startup; You can add "export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2.x86_64/" in $KYLIN_HOME/bin/setenv.sh, and then HBase should use the specifiied java.

 

We use SUN JDK in most environments, not get much feedback on OpenJDK 1.8; For the ClassNotFound exception, do you have the detail stacktrace?

 

2017-01-24 14:38 GMT+08:00 Österlund Berry <berry.osterlund@scania.com>:

Hello

 

I’m trying to connect out Kylin installation to an LDAP server, as we are required to have that before we put any solution into production. But I’m facing a problem. When I start Kylin, this is what I get in the log.

 

2017-01-24 07:12:06,110 WARN  [localhost-startStop-1] support.XmlWebApplicationContext:487 : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'ldapSource' defined in class path resource [kylinSecurity.xml]: Input length must be multiple of 16 when decrypting with padded cipher; nested exception is java.lang.RuntimeException: Input length must be multiple of 16 when decrypting with padded cipher

2017-01-24 07:12:06,111 ERROR [localhost-startStop-1] context.ContextLoader:331 : Context initialization failed

org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'ldapSource' defined in class path resource [kylinSecurity.xml]: Input length must be multiple of 16 when decrypting with padded cipher; nested exception is java.lang.RuntimeException: Input length must be multiple of 16 when decrypting with padded cipher

        at org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:209)

        at org.springframework.beans.factory.config.PropertyPlaceholderConfigurer.processProperties(PropertyPlaceholderConfigurer.java:222)

        at org.springframework.beans.factory.config.PropertyResourceConfigurer.postProcessBeanFactory(PropertyResourceConfigurer.java:84)

        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:699)

        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:674)

        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:461)

        at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)

        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)

        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)

        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5068)

        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5584)

        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)

        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)

        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)

        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)

        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092)

        at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984)

        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

        at java.util.concurrent.FutureTask.run(FutureTask.java:266)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

        at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.RuntimeException: Input length must be multiple of 16 when decrypting with padded cipher

        at org.apache.kylin.rest.security.PasswordPlaceholderConfigurer.decrypt(PasswordPlaceholderConfigurer.java:84)

        at org.apache.kylin.rest.security.PasswordPlaceholderConfigurer.resolvePlaceholder(PasswordPlaceholderConfigurer.java:90)

        at org.springframework.beans.factory.config.PropertyPlaceholderConfigurer.resolvePlaceholder(PropertyPlaceholderConfigurer.java:162)

        at org.springframework.beans.factory.config.PropertyPlaceholderConfigurer$PropertyPlaceholderConfigurerResolver.resolvePlaceholder(PropertyPlaceholderConfigurer.java:272)

        at org.springframework.util.PropertyPlaceholderHelper.parseStringValue(PropertyPlaceholderHelper.java:146)

        at org.springframework.util.PropertyPlaceholderHelper.replacePlaceholders(PropertyPlaceholderHelper.java:125)

        at org.springframework.beans.factory.config.PropertyPlaceholderConfigurer$PlaceholderResolvingStringValueResolver.resolveStringValue(PropertyPlaceholderConfigurer.java:257)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.resolveStringValue(BeanDefinitionVisitor.java:282)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.resolveValue(BeanDefinitionVisitor.java:204)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.visitPropertyValues(BeanDefinitionVisitor.java:141)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.visitBeanDefinition(BeanDefinitionVisitor.java:82)

        at org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:206)

        ... 21 more

Caused by: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher

        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:934)

        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:845)

        at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)

       at javax.crypto.Cipher.doFinal(Cipher.java:2165)

        at org.apache.kylin.rest.security.PasswordPlaceholderConfigurer.decrypt(PasswordPlaceholderConfigurer.java:81)

 

 

 

This is the ldap part of the configuration file

ldap.server=ldap://<FULL HOSTNAME>:389

ldap.username=<FULL DN TO USER>

ldap.password=70tIoIdndG4eYPU5XWsqxNZZ9VlKAwKj19JR6vfEphw=

 

# LDAP user account directory;

ldap.user.searchBase=<VALID DN>

ldap.user.searchPattern=(memberOf=<VALID GROUP>)

ldap.user.groupSearchBase=<GROUP SEARCH BASE>

 

All parameters are used in other LDAP integrations (Like SSSD, Ambari, Ranger, Atlas….) so I know that those are right. I got the hashed password by running this command. By the way, the org.apache.kylin.rest.security.PasswordPlaceholderConfigurer class gets classNotFound exception if I run it with Java 1.8. Just so you know…. 1.7 works better

 

cd /opt/kylin-1.6.0/tomcat/webapps/kylin/WEB-INF/lib

/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2.x86_64/bin/java -classpath kylin-server-base-1.6.0.jar:spring-beans-3.2.17.RELEASE.jar:spring-core-3.2.17.RELEASE.jar:commons-codec-1.7.jar org.apache.kylin.rest.security.PasswordPlaceholderConfigurer AES <PASSWORD 18 CHARS LONG>

 

If I understand everything correctly, Kylin is executed with the Java versions that HBase is running. And the version I have is 1.8.0_112

Can anybody give me some info on how to solve this problem? I really like to install Kylin on our production servers so I can play with real data

 

Best Regards

Berry Österlund

Sweden

 

 

 

 



 

--

Best regards,

 

Shaofeng Shi 史少锋

 



 

--

Best regards,

 

Shaofeng Shi 史少锋