Hadoop Common
  1. Hadoop Common
  2. HADOOP-8346

Changes to support Kerberos with non Sun JVM (HADOOP-6941) broke SPNEGO

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0.3, 2.0.0-alpha, 3.0.0
    • Fix Version/s: 1.0.3, 0.23.7
    • Component/s: security
    • Labels:
      None

      Description

      before HADOOP-6941 hadoop-auth testcases with Kerberos ON pass, mvn test -PtestKerberos

      after HADOOP-6941 the tests fail with the error below.

      Doing some IDE debugging I've found out that the changes in HADOOP-6941 are making the JVM Kerberos libraries to append an extra element to the kerberos principal of the server (on the client side when creating the token) so HTTP/localhost ends up being HTTP/localhost/localhost. Then, when contacting the KDC to get the granting ticket, the server principal is unknown.

      testAuthenticationPost(org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator)  Time elapsed: 0.053 sec  <<< ERROR!
      org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
      	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:236)
      	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:142)
      	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
      	at org.apache.hadoop.security.authentication.client.AuthenticatorTestCase._testAuthentication(AuthenticatorTestCase.java:124)
      	at org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator$2.call(TestKerberosAuthenticator.java:77)
      	at org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator$2.call(TestKerberosAuthenticator.java:74)
      	at org.apache.hadoop.security.authentication.KerberosTestUtils$1.run(KerberosTestUtils.java:111)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.Subject.doAs(Subject.java:396)
      	at org.apache.hadoop.security.authentication.KerberosTestUtils.doAs(KerberosTestUtils.java:108)
      	at org.apache.hadoop.security.authentication.KerberosTestUtils.doAsClient(KerberosTestUtils.java:124)
      	at org.apache.hadoop.security.authentication.client.TestKerberosAuthenticator.testAuthenticationPost(TestKerberosAuthenticator.java:74)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      	at java.lang.reflect.Method.invoke(Method.java:597)
      	at junit.framework.TestCase.runTest(TestCase.java:168)
      	at junit.framework.TestCase.runBare(TestCase.java:134)
      	at junit.framework.TestResult$1.protect(TestResult.java:110)
      	at junit.framework.TestResult.runProtected(TestResult.java:128)
      	at junit.framework.TestResult.run(TestResult.java:113)
      	at junit.framework.TestCase.run(TestCase.java:124)
      	at junit.framework.TestSuite.runTest(TestSuite.java:243)
      	at junit.framework.TestSuite.run(TestSuite.java:238)
      	at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:83)
      	at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:236)
      	at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:134)
      	at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:113)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      	at java.lang.reflect.Method.invoke(Method.java:597)
      	at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
      	at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
      	at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
      	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:103)
      	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:74)
      Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
      	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
      	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
      	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
      	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:215)
      	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:191)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.Subject.doAs(Subject.java:396)
      	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:191)
      	... 36 more
      Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
      	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
      	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
      	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
      	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
      	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:575)
      	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
      	... 43 more
      Caused by: KrbException: Identifier doesn't match expected value (906)
      	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
      	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
      	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
      	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
      
      1. 8346-trunk.patch
        4 kB
        Devaraj Das
      2. 8346-trunk.patch
        4 kB
        Devaraj Das
      3. debugger.png
        104 kB
        Alejandro Abdelnur

        Activity

        Alejandro Abdelnur created issue -
        Devaraj Das made changes -
        Field Original Value New Value
        Assignee Devaraj Das [ devaraj ]
        Alejandro Abdelnur made changes -
        Attachment debugger.png [ 12525386 ]
        Devaraj Das made changes -
        Attachment 8346-trunk.patch [ 12525397 ]
        Devaraj Das made changes -
        Attachment 8346-trunk.patch [ 12525464 ]
        Devaraj Das made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Affects Version/s 1.0.3 [ 12320248 ]
        Fix Version/s 1.0.3 [ 12320248 ]
        Fix Version/s 2.0.0 [ 12320352 ]
        Devaraj Das made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Matt Foley made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Thomas Graves made changes -
        Fix Version/s 0.23.7 [ 12323956 ]

          People

          • Assignee:
            Devaraj Das
            Reporter:
            Alejandro Abdelnur
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development