Return-Path: 
 <dev-return-3940-apmail-storm-dev-archive=storm.apache.org@storm.incubator.apache.org>
X-Original-To: apmail-storm-dev-archive@minotaur.apache.org
Delivered-To: apmail-storm-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2BDDD11CAB
	for <apmail-storm-dev-archive@minotaur.apache.org>;
 Wed,  2 Jul 2014 16:37:49 +0000 (UTC)
Received: (qmail 87942 invoked by uid 500); 2 Jul 2014 16:37:48 -0000
Delivered-To: apmail-storm-dev-archive@storm.apache.org
Received: (qmail 87890 invoked by uid 500); 2 Jul 2014 16:37:48 -0000
Mailing-List: contact dev-help@storm.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@storm.incubator.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@storm.incubator.apache.org>
List-Post: <mailto:dev@storm.incubator.apache.org>
List-Id: <dev.storm.incubator.apache.org>
Reply-To: dev@storm.incubator.apache.org
Delivered-To: mailing list dev@storm.incubator.apache.org
Received: (qmail 87878 invoked by uid 99); 2 Jul 2014 16:37:48 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2014 16:37:48 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED,T_RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3)
    by apache.org (qpsmtpd/0.29) with SMTP; Wed, 02 Jul 2014 16:37:47 +0000
Received: (qmail 87636 invoked by uid 99); 2 Jul 2014 16:37:27 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2014 16:37:27 +0000
Date: Wed, 2 Jul 2014 16:37:27 +0000 (UTC)
From: "Robert Joseph Evans (JIRA)" <jira@apache.org>
To: dev@storm.incubator.apache.org
Message-ID: <JIRA.12720421.1402428048142.88902.1404319047186@arcas>
In-Reply-To: <JIRA.12720421.1402428048142@arcas>
References: <JIRA.12720421.1402428048142@arcas>
Subject: [jira] [Commented] (STORM-345) (Security) AutoTGT renewal is not
 working
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
X-Virus-Checked: Checked by ClamAV on apache.org


    [ https://issues.apache.org/jira/browse/STORM-345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050299#comment-14050299 ] 

Robert Joseph Evans commented on STORM-345:
-------------------------------------------

I am getting an error when I try to actually renew the ticket.

I modified AutoTGT in the following way.

{code}
diff --git a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
index 52bf540..a474e5d 100644
--- a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
@@ -241,7 +241,7 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer {
         if (tgt != null) {
             long refreshTime = getRefreshTime(tgt);
             long now = System.currentTimeMillis();
-            if (now >= refreshTime) {
+            //if (now >= refreshTime) {
                 try {
                     LOG.info("Renewing TGT for "+tgt.getClient());
                     tgt.refresh();
@@ -249,19 +249,21 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer {
                 } catch (RefreshFailedException e) {
                     LOG.warn("Failed to refresh TGT", e);
                 }
-            }
+            //}
         }
     }
 
     public static void main(String[] args) throws Exception {
+        
         AutoTGT at = new AutoTGT();
         Map conf = new java.util.HashMap();
         conf.put("java.security.auth.login.config", args[0]);
         at.prepare(conf);
         Map<String,String> creds = new java.util.HashMap<String,String>();
         at.populateCredentials(creds);
-        Subject s = new Subject();
-        at.populateSubject(s, creds);
-        LOG.info("Got a Subject "+s);
+        at.renew(creds);
+        //Subject s = new Subject();
+        //at.populateSubject(s, creds);
+        //LOG.info("Got a Subject "+s);
     }
 }
{code}

I then called it.

{code}
java -cp ./storm-core-0.9.2-incubating-security.jar:./storm/lib/\* backtype.storm.security.auth.kerberos.AutoTGT  jaas.conf
{code}

The contents of jaas.conf are
{code}
StormClient {
   com.sun.security.auth.module.Krb5LoginModule required
   doNotPrompt=false
   useTicketCache=true
   serviceName="storm";
};
{code}

I end up with the following error as part of the output.
{code}
294  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT for me@TEST.COM to topology.
313  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT for me@TEST.COM
452  [main] WARN  backtype.storm.security.auth.kerberos.AutoTGT - Failed to refresh TGT
javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for client me@TEST.COM and server krbtgt/TEST.COM@TEST.COM - Message stream modified (41)
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575) ~[na:1.7.0_17]
        at backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
        at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203) ~[na:1.7.0_17]
        at sun.security.krb5.Credentials.renew(Credentials.java:259) ~[na:1.7.0_17]
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567) ~[na:1.7.0_17]
        ... 2 common frames omitted
{code}

Turning on debug with -Dsun.security.krb5.debug=true is not that much better
{code}
>>>KinitOptions cache name is /tmp/krb5cc_38795
>>>DEBUG <CCacheInputStream>  client principal is me@TEST.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/TEST.COM@TEST.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Wed Jul 02 16:19:06 UTC 2014
>>>DEBUG <CCacheInputStream> start time: Wed Jul 02 16:19:02 UTC 2014
>>>DEBUG <CCacheInputStream> end time: Thu Jul 03 02:19:06 UTC 2014
>>>DEBUG <CCacheInputStream> renew_till time: Wed Jul 09 16:19:02 UTC 2014
>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
Config name: /etc/krb5.conf
297  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT for me@TEST.COM to topology.
316  [main] INFO  backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT for me@TEST.COM
default etypes for default_tgs_enctypes: 23 16 17 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=kdc1.test.com. TCP:88, timeout=30000, number of retries =3, #bytes=1798
>>> KDCCommunication: kdc=kdc1.test.com. TCP:88, timeout=30000,Attempt =1, #bytes=1798
>>>DEBUG: TCPClient reading 1804 bytes
>>> KrbKdcReq send: #bytes read=1804
>>> KdcAccessibility: remove kdc1.test.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
453  [main] WARN  backtype.storm.security.auth.kerberos.AutoTGT - Failed to refresh TGT
javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for client me@TEST.COM and server krbtgt/TEST.COM@TEST.COM - Message stream modified (41)
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575) ~[na:1.7.0_17]
        at backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
        at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264) [storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192) ~[na:1.7.0_17]
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203) ~[na:1.7.0_17]
        at sun.security.krb5.Credentials.renew(Credentials.java:259) ~[na:1.7.0_17]
        at javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567) ~[na:1.7.0_17]
        ... 2 common frames omitted
{code}

> (Security) AutoTGT renewal is not working
> -----------------------------------------
>
>                 Key: STORM-345
>                 URL: https://issues.apache.org/jira/browse/STORM-345
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Raghavendra Nandagopal
>              Labels: security
>
> AutoTGT will call tgt.refresh(); to try and renew a token, but ever time we try to make this work the java code blows up with some very odd errors.
> Either we need to find some configurations and document them on how to make this work.
> Rip out the renewal code and update the documentation to explain that the renewal is not supported.
> Find another way to renew the TGT (Some other library)



--
This message was sent by Atlassian JIRA
(v6.2#6252)