[
https://issues.apache.org/jira/browse/HADOOP-12787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15149547#comment-15149547
]
Xiaoyu Yao commented on HADOOP-12787:
-------------------------------------
Manual test result:
*1. Curl without the patch -> GSSException*
{code}
[ambari-qa@c6401 ~]$ curl --negotiate -i -L -u: -b ~/cookiejar.txt -c
~/cookiejar.txt http://192.168.64.101:50070/webhdfs/v1/z1/krb5.conf.4?op=OPEN
HTTP/1.1 401 Authentication required
Cache-Control: must-revalidate,no-cache,no-store
Date: Tue, 16 Feb 2016 23:56:05 GMT
Pragma: no-cache
Date: Tue, 16 Feb 2016 23:56:05 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; HttpOnly
Content-Length: 1418
Server: Jetty(6.1.26.hwx)
HTTP/1.1 307 TEMPORARY_REDIRECT
Cache-Control: no-cache
Expires: Tue, 16 Feb 2016 23:56:05 GMT
Date: Tue, 16 Feb 2016 23:56:05 GMT
Pragma: no-cache
Expires: Tue, 16 Feb 2016 23:56:05 GMT
Date: Tue, 16 Feb 2016 23:56:05 GMT
Pragma: no-cache
Content-Type: application/octet-stream
Set-Cookie:
hadoop.auth="u=ambari-qa&[email protected]&t=kerberos&e=1455702965318&s=OSu4iddJQVOdzeiKkmp/nwea7vQ=";
Path=/; HttpOnly
Location:
http://c6401.ambari.apache.org:1022/webhdfs/v1/z1/krb5.conf.4?op=OPEN&delegation=JgAJYW1iYXJpLXFhCWFtYmFyaS1xYQCKAVLsgytPigFTEI-vT3YkFOalDq5KazNUQYxlZKw4NxpPJfaLEldFQkhERlMgZGVsZWdhdGlvbhMxOTIuMTY4LjY0LjEwMTo4MDIw&namenoderpcaddress=c6401.ambari.apache.org:8020&offset=0
Content-Length: 0
Server: Jetty(6.1.26.hwx)
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Content-Length: 266
Connection: close
{"RemoteException":{"exception":"IOException","javaClassName":"java.io.IOException","message":"org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)"}}[ambari-qa@c6401 ~]
{code}
*2. Curl with the patch -> Pass*
{code}
[ambari-qa@c6401 ~]$ curl --negotiate -i -L -u: -b ~/cookiejar.txt -c
~/cookiejar.txt http://192.168.64.101:50070/webhdfs/v1/z2/hello.txt?op=OPEN
HTTP/1.1 307 TEMPORARY_REDIRECT
Cache-Control: no-cache
Expires: Wed, 17 Feb 2016 00:03:18 GMT
Date: Wed, 17 Feb 2016 00:03:18 GMT
Pragma: no-cache
Expires: Wed, 17 Feb 2016 00:03:18 GMT
Date: Wed, 17 Feb 2016 00:03:18 GMT
Pragma: no-cache
Location:
http://c6401.ambari.apache.org:1022/webhdfs/v1/z2/hello.txt?op=OPEN&delegation=JgAJYW1iYXJpLXFhCWFtYmFyaS1xYQCKAVLsicgdigFTEJZMHXcmFHHSXDlM1mY3gFNY5yuHrg5dnW9BEldFQkhERlMgZGVsZWdhdGlvbhMxOTIuMTY4LjY0LjEwMTo4MDIw&namenoderpcaddress=c6401.ambari.apache.org:8020&offset=0
Content-Type: application/octet-stream
Content-Length: 0
Server: Jetty(6.1.26.hwx)
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Content-Type: application/octet-stream
Connection: close
Content-Length: 13
Hello world!
{code}
*3. distcp/webhdfs without the patch -> GSSException*
{code}
Failed with
"org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)"
{code}
*4. distcp/webhdfs with the patch -> Pass*
{code}
Succeeded without any retry on other datanodes.
{code}
> KMS SPNEGO sequence does not work with WEBHDFS
> ----------------------------------------------
>
> Key: HADOOP-12787
> URL: https://issues.apache.org/jira/browse/HADOOP-12787
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms, security
> Affects Versions: 2.6.3
> Reporter: Xiaoyu Yao
> Assignee: Xiaoyu Yao
> Attachments: HADOOP-12878.00.patch, HADOOP-12878.01.patch,
> HADOOP-12878.02.patch, HADOOP-12878.03.patch
>
>
> This was a follow up of my
> [comments|https://issues.apache.org/jira/browse/HADOOP-12559?focusedCommentId=15059045&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15059045]
> for HADOOP-10698.
> It blocks a delegation token based user (MR) using WEBHDFS to access KMS
> server for encrypted files. This might work in many cases before as JDK 7 has
> been aggressively do SPENGO implicitly. However, this is not the case in JDK
> 8 as we have seen many failures when using WEBHDFS with KMS and HDFS
> encryption zone.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
