Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-20993

[Auth] IPC client fallback to simple auth allowed doesn't work

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 1.2.6, 1.3.2, 1.2.7, 1.4.7
    • None
    • Client, IPC/RPC, security
    • None

    Description

      It is easily reproducible.
      client's hbase-site.xml: hadoop.security.authentication:kerberos, hbase.security.authentication:kerberos, hbase.ipc.client.fallback-to-simple-auth-allowed:true, keytab and principal are right set

      A simple auth hbase cluster, a kerberized hbase client application. application trying to r/w/c/d table will have following exception:

      javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
      	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
      	at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:179)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:617)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$700(RpcClientImpl.java:162)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:743)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:740)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.Subject.doAs(Subject.java:422)
      	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:740)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:906)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:873)
      	at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1241)
      	at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:227)
      	at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:336)
      	at org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$BlockingStub.isMasterRunning(MasterProtos.java:58383)
      	at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation$MasterServiceStubMaker.isMasterRunning(ConnectionManager.java:1592)
      	at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation$StubMaker.makeStubNoRetries(ConnectionManager.java:1530)
      	at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation$StubMaker.makeStub(ConnectionManager.java:1552)
      	at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation$MasterServiceStubMaker.makeStub(ConnectionManager.java:1581)
      	at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.getKeepAliveMasterService(ConnectionManager.java:1738)
      	at org.apache.hadoop.hbase.client.MasterCallable.prepare(MasterCallable.java:38)
      	at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:134)
      	at org.apache.hadoop.hbase.client.HBaseAdmin.executeCallable(HBaseAdmin.java:4297)
      	at org.apache.hadoop.hbase.client.HBaseAdmin.executeCallable(HBaseAdmin.java:4289)
      	at org.apache.hadoop.hbase.client.HBaseAdmin.createTableAsyncV2(HBaseAdmin.java:753)
      	at org.apache.hadoop.hbase.client.HBaseAdmin.createTable(HBaseAdmin.java:674)
      	at org.apache.hadoop.hbase.client.HBaseAdmin.createTable(HBaseAdmin.java:607)
      	at org.playground.hbase.KerberizedClientFallback.main(KerberizedClientFallback.java:55)
      Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
      	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
      	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
      	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
      	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
      	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
      	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
      	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
      

      Attachments

        1. HBASE-20993.001.patch
          2 kB
          Jack Bearden
        2. HBASE-20993.003.branch-1.flowchart.png
          52 kB
          Jack Bearden
        3. HBASE-20993.branch-1.002.patch
          17 kB
          Jack Bearden
        4. HBASE-20993.branch-1.003.patch
          18 kB
          Jack Bearden
        5. HBASE-20993.branch-1.004.patch
          17 kB
          Jack Bearden
        6. HBASE-20993.branch-1.005.patch
          22 kB
          Jack Bearden
        7. HBASE-20993.branch-1.006.patch
          25 kB
          Jack Bearden
        8. HBASE-20993.branch-1.007.patch
          25 kB
          Jack Bearden
        9. HBASE-20993.branch-1.008.patch
          26 kB
          Jack Bearden
        10. HBASE-20993.branch-1.009.patch
          27 kB
          Reid Chan
        11. HBASE-20993.branch-1.009.patch
          27 kB
          Jack Bearden
        12. HBASE-20993.branch-1.010.patch
          21 kB
          Reid Chan
        13. HBASE-20993.branch-1.011.patch
          24 kB
          Reid Chan
        14. HBASE-20993.branch-1.012.patch
          24 kB
          Reid Chan
        15. HBASE-20993.branch-1.013.patch
          26 kB
          Reid Chan
        16. HBASE-20993.branch-1.2.001.patch
          2 kB
          Jack Bearden
        17. HBASE-20993.branch-1.wip.002.patch
          8 kB
          Reid Chan
        18. HBASE-20993.branch-1.wip.patch
          6 kB
          Reid Chan
        19. yetus-local-testpatch-output-009.txt
          15 kB
          Jack Bearden

        Issue Links

          Activity

            People

              Unassigned Unassigned
              reidchan Reid Chan
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated: