Hadoop Common
  1. Hadoop Common
  2. HADOOP-6947

Kerberos relogin should set refreshKrb5Config to true

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, 0.22.0
    • Fix Version/s: 1.1.0, 0.22.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      In working on securing a daemon that uses two different principals from different threads, I found that I wasn't able to login from a second keytab after I'd logged in from the first. This is because we don't set the refreshKrb5Config in the Configuration for the Krb5LoginModule - hence it won't switch over to the correct keytab file if it's different than the first.

      1. hadoop-6947.txt
        3 kB
        Todd Lipcon
      2. hadoop-6947-branch20.txt
        3 kB
        Todd Lipcon

        Issue Links

          Activity

          Hide
          Todd Lipcon added a comment -

          There is no automatic test capability for keytab logins, so I wrote a manual test that can be run in a kerberized environment. The test takes as arguments the paths and principals for two separate keytabs and tries to login as each in turn and verify the resulting UGI.

          Without the refreshKrb5Config option, it fails with this error:

          [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab  hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab 
          UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM
          Exception in thread "main" java.io.IOException: Login failure for hbase/master@MINOTAUR.CLOUDERA.COM from keytab /home/todd/haus-cluster/hbase-minotaur-security/master.keytab
                  at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:681)
                  at org.apache.hadoop.security.ManualTestKeytabLogins.main(ManualTestKeytabLogins.java:49)
          Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
          
                  at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)
          

          With the fix:

          [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab  hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab 
          UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM
          UGI 2 = hbase/master@MINOTAUR.CLOUDERA.COM
          
          Show
          Todd Lipcon added a comment - There is no automatic test capability for keytab logins, so I wrote a manual test that can be run in a kerberized environment. The test takes as arguments the paths and principals for two separate keytabs and tries to login as each in turn and verify the resulting UGI. Without the refreshKrb5Config option, it fails with this error: [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM Exception in thread "main" java.io.IOException: Login failure for hbase/master@MINOTAUR.CLOUDERA.COM from keytab /home/todd/haus-cluster/hbase-minotaur-security/master.keytab at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:681) at org.apache.hadoop.security.ManualTestKeytabLogins.main(ManualTestKeytabLogins.java:49) Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789) With the fix: [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM UGI 2 = hbase/master@MINOTAUR.CLOUDERA.COM
          Hide
          Todd Lipcon added a comment -

          branch 20 fix not for commit, trunk coming in a few moments.

          Show
          Todd Lipcon added a comment - branch 20 fix not for commit, trunk coming in a few moments.
          Hide
          Todd Lipcon added a comment -

          Same patch for trunk - also ran the manual test on trunk to verify.

          Show
          Todd Lipcon added a comment - Same patch for trunk - also ran the manual test on trunk to verify.
          Hide
          Kan Zhang added a comment -

          +1. We noticed this too. Just haven't got around to fix it. Thanks.

          Show
          Kan Zhang added a comment - +1. We noticed this too. Just haven't got around to fix it. Thanks.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12454185/hadoop-6947.txt
          against trunk revision 995285.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 5 new or modified tests.

          -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system tests framework. The patch passed system tests framework compile.

          Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/testReport/
          Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/checkstyle-errors.html
          Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12454185/hadoop-6947.txt against trunk revision 995285. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 5 new or modified tests. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system tests framework. The patch passed system tests framework compile. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/console This message is automatically generated.
          Hide
          Todd Lipcon added a comment -

          Kan, mind committing this? It got +1 from you and Hudson.

          Show
          Todd Lipcon added a comment - Kan, mind committing this? It got +1 from you and Hudson.
          Hide
          Kan Zhang added a comment -

          Todd, sorry for late reply. I just got back after a long leave. And sorry for not being able to commit it as I'm not a committer yet.

          Show
          Kan Zhang added a comment - Todd, sorry for late reply. I just got back after a long leave. And sorry for not being able to commit it as I'm not a committer yet.
          Hide
          Todd Lipcon added a comment -

          Ah, I misremembered, I guess we are in the same boat Hopefully someone else will pick this up and commit. Thanks Kan!

          Show
          Todd Lipcon added a comment - Ah, I misremembered, I guess we are in the same boat Hopefully someone else will pick this up and commit. Thanks Kan!
          Hide
          Tom White added a comment -

          I've just committed this. Thanks Todd!

          Show
          Tom White added a comment - I've just committed this. Thanks Todd!
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #400 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/400/)
          HADOOP-6947. Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #400 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/400/ ) HADOOP-6947 . Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk #494 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/494/)
          HADOOP-6947. Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk #494 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/494/ ) HADOOP-6947 . Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.
          Hide
          Devaraj Das added a comment -

          I am going to commit this to branch-1.

          Show
          Devaraj Das added a comment - I am going to commit this to branch-1.

            People

            • Assignee:
              Todd Lipcon
              Reporter:
              Todd Lipcon
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development