storm-dev mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	"Robert Joseph Evans (JIRA)" <j...@apache.org>
Subject	[jira] [Commented] (STORM-345) (Security) AutoTGT renewal is not working
Date	Wed, 02 Jul 2014 16:37:27 GMT
[ https://issues.apache.org/jira/browse/STORM-345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050299#comment-14050299 ] Robert Joseph Evans commented on STORM-345: ------------------------------------------- I am getting an error when I try to actually renew the ticket. I modified AutoTGT in the following way. {code} diff --git a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java index 52bf540..a474e5d 100644 --- a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java +++ b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java @@ -241,7 +241,7 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer { if (tgt != null) { long refreshTime = getRefreshTime(tgt); long now = System.currentTimeMillis(); - if (now >= refreshTime) { + //if (now >= refreshTime) { try { LOG.info("Renewing TGT for "+tgt.getClient()); tgt.refresh(); @@ -249,19 +249,21 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer { } catch (RefreshFailedException e) { LOG.warn("Failed to refresh TGT", e); } - } + //} } } public static void main(String[] args) throws Exception { + AutoTGT at = new AutoTGT(); Map conf = new java.util.HashMap(); conf.put("java.security.auth.login.config", args[0]); at.prepare(conf); Map<String,String> creds = new java.util.HashMap<String,String>(); at.populateCredentials(creds); - Subject s = new Subject(); - at.populateSubject(s, creds); - LOG.info("Got a Subject "+s); + at.renew(creds); + //Subject s = new Subject(); + //at.populateSubject(s, creds); + //LOG.info("Got a Subject "+s); } } {code} I then called it. {code} java -cp ./storm-core-0.9.2-incubating-security.jar:./storm/lib/\* backtype.storm.security.auth.kerberos.AutoTGT jaas.conf {code} The contents of jaas.conf are {code} StormClient { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=true serviceName="storm"; }; {code} I end up with the following error as part of the output. {code} 294 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT for me@TEST.COM to topology. 313 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT for me@TEST.COM 452 [main] WARN backtype.storm.security.auth.kerberos.AutoTGT - Failed to refresh TGT javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for client me@TEST.COM and server krbtgt/TEST.COM@TEST.COM - Message stream modified (41) at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575) ~[na:1.7.0_17] at backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security] at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security] Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192) ~[na:1.7.0_17] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203) ~[na:1.7.0_17] at sun.security.krb5.Credentials.renew(Credentials.java:259) ~[na:1.7.0_17] at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567) ~[na:1.7.0_17] ... 2 common frames omitted {code} Turning on debug with -Dsun.security.krb5.debug=true is not that much better {code} >>>KinitOptions cache name is /tmp/krb5cc_38795 >>>DEBUG <CCacheInputStream> client principal is me@TEST.COM >>>DEBUG <CCacheInputStream> server principal is krbtgt/TEST.COM@TEST.COM >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Wed Jul 02 16:19:06 UTC 2014 >>>DEBUG <CCacheInputStream> start time: Wed Jul 02 16:19:02 UTC 2014 >>>DEBUG <CCacheInputStream> end time: Thu Jul 03 02:19:06 UTC 2014 >>>DEBUG <CCacheInputStream> renew_till time: Wed Jul 09 16:19:02 UTC 2014 >>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH; Config name: /etc/krb5.conf 297 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT for me@TEST.COM to topology. 316 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT for me@TEST.COM default etypes for default_tgs_enctypes: 23 16 17 18. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KdcAccessibility: reset >>> KrbKdcReq send: kdc=kdc1.test.com. TCP:88, timeout=30000, number of retries =3, #bytes=1798 >>> KDCCommunication: kdc=kdc1.test.com. TCP:88, timeout=30000,Attempt =1, #bytes=1798 >>>DEBUG: TCPClient reading 1804 bytes >>> KrbKdcReq send: #bytes read=1804 >>> KdcAccessibility: remove kdc1.test.com.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType 453 [main] WARN backtype.storm.security.auth.kerberos.AutoTGT - Failed to refresh TGT javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for client me@TEST.COM and server krbtgt/TEST.COM@TEST.COM - Message stream modified (41) at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575) ~[na:1.7.0_17] at backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security] at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security] Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192) ~[na:1.7.0_17] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203) ~[na:1.7.0_17] at sun.security.krb5.Credentials.renew(Credentials.java:259) ~[na:1.7.0_17] at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567) ~[na:1.7.0_17] ... 2 common frames omitted {code} > (Security) AutoTGT renewal is not working > ----------------------------------------- > > Key: STORM-345 > URL: https://issues.apache.org/jira/browse/STORM-345 > Project: Apache Storm (Incubating) > Issue Type: Bug > Reporter: Robert Joseph Evans > Assignee: Raghavendra Nandagopal > Labels: security > > AutoTGT will call tgt.refresh(); to try and renew a token, but ever time we try to make this work the java code blows up with some very odd errors. > Either we need to find some configurations and document them on how to make this work. > Rip out the renewal code and update the documentation to explain that the renewal is not supported. > Find another way to renew the TGT (Some other library) -- This message was sent by Atlassian JIRA (v6.2#6252)
Mime	Unnamed text/plain (inline, 7-Bit, 7621 bytes)
	View raw message