Hadoop Common
  1. Hadoop Common
  2. HADOOP-6947

Kerberos relogin should set refreshKrb5Config to true

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, 0.22.0
    • Fix Version/s: 1.1.0, 0.22.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      In working on securing a daemon that uses two different principals from different threads, I found that I wasn't able to login from a second keytab after I'd logged in from the first. This is because we don't set the refreshKrb5Config in the Configuration for the Krb5LoginModule - hence it won't switch over to the correct keytab file if it's different than the first.

      1. hadoop-6947-branch20.txt
        3 kB
        Todd Lipcon
      2. hadoop-6947.txt
        3 kB
        Todd Lipcon

        Activity

        Hide
        Devaraj Das added a comment -

        I am going to commit this to branch-1.

        Show
        Devaraj Das added a comment - I am going to commit this to branch-1.
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk #494 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/494/)
        HADOOP-6947. Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk #494 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/494/ ) HADOOP-6947 . Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #400 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/400/)
        HADOOP-6947. Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #400 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/400/ ) HADOOP-6947 . Kerberos relogin should set refreshKrb5Config to true. Contributed by Todd Lipcon.
        Hide
        Tom White added a comment -

        I've just committed this. Thanks Todd!

        Show
        Tom White added a comment - I've just committed this. Thanks Todd!
        Hide
        Todd Lipcon added a comment -

        Ah, I misremembered, I guess we are in the same boat Hopefully someone else will pick this up and commit. Thanks Kan!

        Show
        Todd Lipcon added a comment - Ah, I misremembered, I guess we are in the same boat Hopefully someone else will pick this up and commit. Thanks Kan!
        Hide
        Kan Zhang added a comment -

        Todd, sorry for late reply. I just got back after a long leave. And sorry for not being able to commit it as I'm not a committer yet.

        Show
        Kan Zhang added a comment - Todd, sorry for late reply. I just got back after a long leave. And sorry for not being able to commit it as I'm not a committer yet.
        Hide
        Todd Lipcon added a comment -

        Kan, mind committing this? It got +1 from you and Hudson.

        Show
        Todd Lipcon added a comment - Kan, mind committing this? It got +1 from you and Hudson.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12454185/hadoop-6947.txt
        against trunk revision 995285.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 5 new or modified tests.

        -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        +1 system tests framework. The patch passed system tests framework compile.

        Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/testReport/
        Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/checkstyle-errors.html
        Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12454185/hadoop-6947.txt against trunk revision 995285. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 5 new or modified tests. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system tests framework. The patch passed system tests framework compile. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/681/console This message is automatically generated.
        Hide
        Kan Zhang added a comment -

        +1. We noticed this too. Just haven't got around to fix it. Thanks.

        Show
        Kan Zhang added a comment - +1. We noticed this too. Just haven't got around to fix it. Thanks.
        Hide
        Todd Lipcon added a comment -

        Same patch for trunk - also ran the manual test on trunk to verify.

        Show
        Todd Lipcon added a comment - Same patch for trunk - also ran the manual test on trunk to verify.
        Hide
        Todd Lipcon added a comment -

        branch 20 fix not for commit, trunk coming in a few moments.

        Show
        Todd Lipcon added a comment - branch 20 fix not for commit, trunk coming in a few moments.
        Hide
        Todd Lipcon added a comment -

        There is no automatic test capability for keytab logins, so I wrote a manual test that can be run in a kerberized environment. The test takes as arguments the paths and principals for two separate keytabs and tries to login as each in turn and verify the resulting UGI.

        Without the refreshKrb5Config option, it fails with this error:

        [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab  hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab 
        UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM
        Exception in thread "main" java.io.IOException: Login failure for hbase/master@MINOTAUR.CLOUDERA.COM from keytab /home/todd/haus-cluster/hbase-minotaur-security/master.keytab
                at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:681)
                at org.apache.hadoop.security.ManualTestKeytabLogins.main(ManualTestKeytabLogins.java:49)
        Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
        
                at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)
        

        With the fix:

        [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab  hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab 
        UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM
        UGI 2 = hbase/master@MINOTAUR.CLOUDERA.COM
        
        Show
        Todd Lipcon added a comment - There is no automatic test capability for keytab logins, so I wrote a manual test that can be run in a kerberized environment. The test takes as arguments the paths and principals for two separate keytabs and tries to login as each in turn and verify the resulting UGI. Without the refreshKrb5Config option, it fails with this error: [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM Exception in thread "main" java.io.IOException: Login failure for hbase/master@MINOTAUR.CLOUDERA.COM from keytab /home/todd/haus-cluster/hbase-minotaur-security/master.keytab at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:681) at org.apache.hadoop.security.ManualTestKeytabLogins.main(ManualTestKeytabLogins.java:49) Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789) With the fix: [todd@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop org.apache.hadoop.security.ManualTestKeytabLogins hbase/rs@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/rs.keytab hbase/master@MINOTAUR.CLOUDERA.COM ~/haus-cluster/hbase-minotaur-security/master.keytab UGI 1 = hbase/rs@MINOTAUR.CLOUDERA.COM UGI 2 = hbase/master@MINOTAUR.CLOUDERA.COM

          People

          • Assignee:
            Todd Lipcon
            Reporter:
            Todd Lipcon
          • Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development