[jira] Commented: (HADOOP-6632) Support for using different Kerberos keys for different instances of Hadoop services

Sat, 13 Mar 2010 20:33:52 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-6632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12845021#action_12845021
 ] 

Kan Zhang commented on HADOOP-6632:
-----------------------------------

One error message we observed.

2010-03-03 07:33:50,542 INFO org.apache.hadoop.ipc.Server: IPC Server listener 
on 
8020: readAndProcess threw exception javax.security.sasl.SaslException: GSS 
initia
te failed [Caused by GSSException: Failure unspecified at GSS-API level 
(Mechanism
 level: Request is a replay (34))]. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
Failure unspecified at GSS-API level
(Mechanism level: Request is a replay (34))]
        at 
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
        at 
org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:913)
        at 
org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1071)
        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:459)
        at org.apache.hadoop.ipc.Server$Listener.run(Server.java:368)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Request is a replay (34))
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at 
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
        ... 4 more
Caused by: KrbException: Request is a replay (34)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:299)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at 
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        ... 7 more

> Support for using different Kerberos keys for different instances of Hadoop 
> services
> ------------------------------------------------------------------------------------
>
>                 Key: HADOOP-6632
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6632
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>
> We tested using the same Kerberos key for all datanodes in a HDFS cluster or 
> the same Kerberos key for all TaskTarckers in a MapRed cluster. But it 
> doesn't work. The reason is that when datanodes try to authenticate to the 
> namenode all at once, the Kerberos authenticators they send to the namenode 
> may have the same timestamp and will be rejected as replay requests. This 
> JIRA makes it possible to use a unique key for each service instance.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to