Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-1265

Sentry service should not require a TGT as it is not talking to other kerberos services as a client

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.8.0
    • None
    • None

    Description

      As part of renewThread we are logging out the subject and relogging in. This is causing a client request to fail if it happens in this logout -login window.

      As only TGT needs renewal, we should never run the renewThread in Sentry given that Sentry never is a Kerberos Client to other Kerberos Services.
      Stack trace from sentry server if a client requests while server is renewing:

      2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] SASL negotiation failure
javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:113)
        at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
        at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
        at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
        at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
        at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
        at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
        at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
        at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
        at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:96)
        ... 10 more
2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Failure to initialize security context
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.thrift.transport.TTransportException: Failure to initialize security context
        at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        ... 4 more
2016-05-17 11:13:57,769 (pool-9-thread-2) [DEBUG - org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:218)] failed to open server transport
org.apache.thrift.transport.TTransportException: Failure to initialize security context
        at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)

      Stack trace from the client:

      2016-05-17 11:13:57,769 (main) [DEBUG - org.apache.sentry.service.thrift.PoolClientInvocationHandler.invokeFromPool(PoolClientInvocationHandler.java:99)] Pool exception occured 
java.io.IOException: Transport exception while opening transport: Peer indicated failure: Failure to initialize security context
        at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl.<init>(SentryPolicyServiceClientDefaultImpl.java:168)
        at org.apache.sentry.service.thrift.SentryServiceClientPoolFactory.create(SentryServiceClientPoolFactory.java:58)
        at org.apache.sentry.service.thrift.SentryServiceClientPoolFactory.create(SentryServiceClientPoolFactory.java:38)
        at org.apache.commons.pool2.BasePooledObjectFactory.makeObject(BasePooledObjectFactory.java:60)
        at org.apache.commons.pool2.impl.GenericObjectPool.create(GenericObjectPool.java:836)
        at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:434)
        at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:361)
        at org.apache.sentry.service.thrift.PoolClientInvocationHandler.invokeFromPool(PoolClientInvocationHandler.java:97)
        at org.apache.sentry.service.thrift.PoolClientInvocationHandler.invokeImpl(PoolClientInvocationHandler.java:70)
        at org.apache.sentry.service.thrift.SentryClientInvocationHandler.invoke(SentryClientInvocationHandler.java:41)
        at com.sun.proxy.$Proxy7.listRoles(Unknown Source)
        at org.apache.sentry.service.thrift.SentryServiceIntegrationBase$1.runTestAsSubject(SentryServiceIntegrationBase.java:227)
        at org.apache.sentry.service.thrift.SentryServiceIntegrationBase$3.run(SentryServiceIntegrationBase.java:358)
        at org.apache.sentry.service.thrift.SentryServiceIntegrationBase$3.run(SentryServiceIntegrationBase.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.sentry.service.thrift.SentryServiceIntegrationBase.runTestAsSubject(SentryServiceIntegrationBase.java:355)
        at org.apache.sentry.service.thrift.SentryServiceIntegrationBase.after(SentryServiceIntegrationBase.java:223)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45)
        at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
        at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42)
        at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:36)
        at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47)
        at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
        at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
        at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
        at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
        at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
        at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
        at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:30)
        at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
        at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
        at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161)
        at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290)
        at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242)
        at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121)
Caused by: org.apache.thrift.transport.TTransportException: Peer indicated failure: Failure to initialize security context
        at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:199)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:277)
        at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
        at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl$UgiSaslClientTransport.baseOpen(SentryPolicyServiceClientDefaultImpl.java:130)
        at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl$UgiSaslClientTransport.open(SentryPolicyServiceClientDefaultImpl.java:108)
        at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl.<init>(SentryPolicyServiceClientDefaultImpl.java:166)
        ... 43 more

      Attachments

        1. SENTRY-1265.0.patch
          4 kB
          Sravya Tirukkovalur
        2. SENTRY-1265.1.patch
          14 kB
          Sravya Tirukkovalur
        3. SENTRY-1265.2.patch
          15 kB
          Sravya Tirukkovalur
        4. SENTRY-1265.3.patch
          15 kB
          Sravya Tirukkovalur
        5. SENTRY-1265.4.patch
          18 kB
          Sravya Tirukkovalur
        6. SENTRY-1265.5.patch
          22 kB
          Sravya Tirukkovalur

        Issue Links

          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. SENTRY-662 SentryServiceIntegrationBase should use UGI based login

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. SENTRY-428 Sentry service should periodically renew the server kerberos ticket

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link Review link

          Activity

            People

              sravya Sravya Tirukkovalur
              sravya Sravya Tirukkovalur
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: