storm-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Joseph Evans (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (STORM-345) (Security) AutoTGT renewal is not working
Date Wed, 02 Jul 2014 16:37:27 GMT

    [ https://issues.apache.org/jira/browse/STORM-345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050299#comment-14050299
] 

Robert Joseph Evans commented on STORM-345:
-------------------------------------------

I am getting an error when I try to actually renew the ticket.

I modified AutoTGT in the following way.

{code}
diff --git a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
index 52bf540..a474e5d 100644
--- a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
@@ -241,7 +241,7 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
         if (tgt != null) {
             long refreshTime = getRefreshTime(tgt);
             long now = System.currentTimeMillis();
-            if (now >= refreshTime) {
+            //if (now >= refreshTime) {
                 try {
                     LOG.info("Renewing TGT for "+tgt.getClient());
                     tgt.refresh();
@@ -249,19 +249,21 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
                 } catch (RefreshFailedException e) {
                     LOG.warn("Failed to refresh TGT", e);
                 }
-            }
+            //}
         }
     }
 
     public static void main(String[] args) throws Exception {
+        
         AutoTGT at = new AutoTGT();
         Map conf = new java.util.HashMap();
         conf.put("java.security.auth.login.config", args[0]);
         at.prepare(conf);
         Map<String,String> creds = new java.util.HashMap<String,String>();
         at.populateCredentials(creds);
-        Subject s = new Subject();
-        at.populateSubject(s, creds);
-        LOG.info("Got a Subject "+s);
+        at.renew(creds);
+        //Subject s = new Subject();
+        //at.populateSubject(s, creds);
+        //LOG.info("Got a Subject "+s);
     }
 }
{code}

I then called it.

{code}
java -cp ./storm-core-0.9.2-incubating-security.jar:./storm/lib/\* backtype.storm.security.auth.kerberos.AutoTGT
 jaas.conf
{code}

The contents of jaas.conf are
{code}
StormClient {
   com.sun.security.auth.module.Krb5LoginModule required
   doNotPrompt=false
   useTicketCache=true
   serviceName="storm";
};
{code}

I end up with the following error as part of the output.
{code}
294  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT for me@TEST.COM
to topology.
313  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT for me@TEST.COM
452  [main] WARN  backtype.storm.security.auth.kerberos.AutoTGT - Failed to refresh TGT
javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for client me@TEST.COM
and server krbtgt/TEST.COM@TEST.COM - Message stream modified (41)
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575) ~[na:1.7.0_17]
        at backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
        at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203) ~[na:1.7.0_17]
        at sun.security.krb5.Credentials.renew(Credentials.java:259) ~[na:1.7.0_17]
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567) ~[na:1.7.0_17]
        ... 2 common frames omitted
{code}

Turning on debug with -Dsun.security.krb5.debug=true is not that much better
{code}
>>>KinitOptions cache name is /tmp/krb5cc_38795
>>>DEBUG <CCacheInputStream>  client principal is me@TEST.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/TEST.COM@TEST.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Wed Jul 02 16:19:06 UTC 2014
>>>DEBUG <CCacheInputStream> start time: Wed Jul 02 16:19:02 UTC 2014
>>>DEBUG <CCacheInputStream> end time: Thu Jul 03 02:19:06 UTC 2014
>>>DEBUG <CCacheInputStream> renew_till time: Wed Jul 09 16:19:02 UTC 2014
>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
Config name: /etc/krb5.conf
297  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT for me@TEST.COM
to topology.
316  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT for me@TEST.COM
default etypes for default_tgs_enctypes: 23 16 17 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=kdc1.test.com. TCP:88, timeout=30000, number of retries =3,
#bytes=1798
>>> KDCCommunication: kdc=kdc1.test.com. TCP:88, timeout=30000,Attempt =1, #bytes=1798
>>>DEBUG: TCPClient reading 1804 bytes
>>> KrbKdcReq send: #bytes read=1804
>>> KdcAccessibility: remove kdc1.test.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
453  [main] WARN  backtype.storm.security.auth.kerberos.AutoTGT - Failed to refresh TGT
javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for client me@TEST.COM
and server krbtgt/TEST.COM@TEST.COM - Message stream modified (41)
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575) ~[na:1.7.0_17]
        at backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
        at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203) ~[na:1.7.0_17]
        at sun.security.krb5.Credentials.renew(Credentials.java:259) ~[na:1.7.0_17]
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567) ~[na:1.7.0_17]
        ... 2 common frames omitted
{code}

> (Security) AutoTGT renewal is not working
> -----------------------------------------
>
>                 Key: STORM-345
>                 URL: https://issues.apache.org/jira/browse/STORM-345
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Raghavendra Nandagopal
>              Labels: security
>
> AutoTGT will call tgt.refresh(); to try and renew a token, but ever time we try to make
this work the java code blows up with some very odd errors.
> Either we need to find some configurations and document them on how to make this work.
> Rip out the renewal code and update the documentation to explain that the renewal is
not supported.
> Find another way to renew the TGT (Some other library)



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message