[
https://issues.apache.org/jira/browse/HADOOP-12682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15074333#comment-15074333
]
Xiaoyu Yao commented on HADOOP-12682:
-------------------------------------
Thanks [~jojochuang] for working on this. The patch looks good to me overall
and I think you are on the right direction for the fix.
Here are some of my comments:
1. The root cause of this issue is TestKMS#doAs() uses
UserGroupInformation.getUGIFromSubject() to retrieve UGI for KMS restart tests.
UGI returned from getUGIFromSubject does not contain any loginContext or Keytab
file information. When this UGI is later invoked by the newly added code below
in KMSClientProvider, it failed at UGI#reloginFromKeytab() because the the
login requires loginContext and keytab information.
{code}
// check and renew TGT to handle potential expiration
actualUgi.checkTGTAndReloginFromKeytab();
{code}
2. We should use try/finally to logout the user after ugi.doAs() in the new
TestKMS#doAsFromKeytab. Ideally, we should update TestKMS#doAs directly to
ensure it use the correct/compete UGI. This will need to add a new public
logout method in the UGI class.
> Test cases in TestKMS are failing
> ---------------------------------
>
> Key: HADOOP-12682
> URL: https://issues.apache.org/jira/browse/HADOOP-12682
> Project: Hadoop Common
> Issue Type: Bug
> Environment: Jenkins
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Attachments: HADOOP-12682.001.patch
>
>
> https://builds.apache.org/job/Hadoop-Common-trunk/2157/testReport/org.apache.hadoop.crypto.key.kms.server/TestKMS/testKMSRestartSimpleAuth/
> {noformat}
> Error Message
> loginUserFromKeyTab must be done first
> Stacktrace
> java.io.IOException: loginUserFromKeyTab must be done first
> at
> org.apache.hadoop.security.UserGroupInformation.reloginFromKeytab(UserGroupInformation.java:1029)
> at
> org.apache.hadoop.security.UserGroupInformation.checkTGTAndReloginFromKeytab(UserGroupInformation.java:994)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:478)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKeyInternal(KMSClientProvider.java:679)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKey(KMSClientProvider.java:697)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$10.call(LoadBalancingKMSClientProvider.java:259)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$10.call(LoadBalancingKMSClientProvider.java:256)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.createKey(LoadBalancingKMSClientProvider.java:256)
> at
> org.apache.hadoop.crypto.key.kms.server.TestKMS$6$1.run(TestKMS.java:1003)
> at
> org.apache.hadoop.crypto.key.kms.server.TestKMS$6$1.run(TestKMS.java:1000)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1669)
> at
> org.apache.hadoop.crypto.key.kms.server.TestKMS.doAs(TestKMS.java:266)
> at
> org.apache.hadoop.crypto.key.kms.server.TestKMS.access$100(TestKMS.java:75)
> {noformat}
> Seems to be introduced by HADOOP-12559
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
