Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-2912

thrift Sources/Sinks can only authenticate with kerberos principal in format with hostname

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.6.0
    • None
    • Sinks+Sources
    • None

    Description

      Using Thrift Sources/Sinks in Kerberos environment, the Flume agents
      only work with principle in format "name/_HOST@YOUR-REALM.COM".
      If using other valid principle in the format "name@YOUR-REALM.COM" it will hit ERROR of "GSS initiate failed".

      Here's the configuration file:
      g1.sources.source1.type = spooldir
      g1.sources.source1.spoolDir = /test
      g1.sources.source1.fileHeader = false
      g1.sinks.sink1.type = thrift
      g1.sinks.sink1.hostname = localhost
      g1.sinks.sink1.port = 55555
      g1.channels.channel1.type = memory
      g1.channels.channel1.capacity = 1000
      g1.channels.channel1.transactionCapacity = 100
      g1.sources.source1.channels = channel1
      g1.sinks.sink1.channel = channel1
      g2.sources = source2
      g2.sinks = sink2
      g2.channels = channel2
      g2.sources.source2.type = thrift
      g2.sources.source2.bind = localhost
      g2.sources.source2.port = 55555
      g2.sinks.sink2.type = hdfs
      g2.sinks.sink2.hdfs.path = /tmp
      g2.sinks.sink2.hdfs.filePrefix = thriftData
      g2.sinks.sink2.hdfs.writeFormat = Text
      g2.sinks.sink2.hdfs.fileType = DataStream
      g2.channels.channel2.type = memory
      g2.channels.channel2.capacity = 1000
      g2.channels.channel2.transactionCapacity = 100
      g2.sources.source2.channels = channel2
      g2.sinks.sink2.channel = channel2
      g1.sinks.sink1.kerberos = true
      g1.sinks.sink1.client-principal = flume/hostname@XXX.COM
      g1.sinks.sink1.client-keytab
      = /etc/security/keytabs/flume-1563.server.keytab
      g1.sinks.sink1.server-principal = flume/hostname@XXX.COM
      g2.sources.source2.kerberos = true
      g2.sources.source2.agent-principal = flume/hostname@XXX.COM
      g2.sources.source2.agent-keytab
      = /etc/security/keytabs/flume-1563.server.keytab

      If using other valid principle like "test@IBM.COM" as below, will hit error:

      g1.sinks.sink1.kerberos = true
      g1.sinks.sink1.client-principal = test@IBM.COM
      g1.sinks.sink1.client-keytab = /home/test/test.keytab
      g1.sinks.sink1.server-principal = test@IBM.COM
      g2.sources.source2.kerberos = true
      g2.sources.source2.agent-principal = test@IBM.COM
      g2.sources.source2.agent-keytab = /home/test/test.keytab

      Agent g1:
      ERROR server.TThreadPoolServer: Error occurred during processing of
      message.
      java.lang.RuntimeException:
      org.apache.thrift.transport.TTransportException: Peer indicated failure:
      GSS initiate failed
          at org.apache.thrift.transport.TSaslServerTransport
      $Factory.getTransport(TSaslServerTransport.java:219)
          at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run
      (TThreadPoolServer.java:189)
          at java.util.concurrent.ThreadPoolExecutor.runWorker
      (ThreadPoolExecutor.java:1142)

      Agent g2:
      ERROR transport.TSaslTransport: SASL negotiation failure
      javax.security.sasl.SaslException: GSS initiate failed [Caused by
      GSSException: No valid credentials provided (Mechanism level: Server not
      found in Kerberos database (7) - UNKNOWN_SERVER)]
          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge
      (GssKrb5Client.java:211)

      Attachments

        Activity

          People

            jrufus Johny Rufus
            wpwang Ping Wang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: