Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-2554

TGT renewal is not retried if there are exceptions.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Sentry
    • Labels:
      None

      Description

      It looks like there was an issue with the KDC server at some point in time. The below error shows the failure. Once sentry gets failure it is not trying to renew the certificate. 

       

      A fix should be added to the sentry code to retry to renew the TGT even after login exception.

      javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
              at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
              at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
              at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
              at org.apache.sentry.service.thrift.SentryKerberosContext.loginWithNewContext(SentryKerberosContext.java:69)
              at org.apache.sentry.service.thrift.SentryKerberosContext.run(SentryKerberosContext.java:125)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
      Caused by: KrbException: Client not found in Kerberos database (6)
              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
              at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
              at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
              ... 20 more
      Caused by: KrbException: Identifier doesn't match expected value (906)
              at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
              at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
              at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
              ... 23 more

        Attachments

          Activity

            People

            • Assignee:
              kalyan Kalyan Kalvagadda
              Reporter:
              kalyan Kalyan Kalvagadda
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: