[
https://issues.apache.org/jira/browse/HADOOP-14350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-14350:
------------------------------------
Priority: Major (was: Blocker)
> Relative path for Kerberos keytab is not working on IBM JDK
> -----------------------------------------------------------
>
> Key: HADOOP-14350
> URL: https://issues.apache.org/jira/browse/HADOOP-14350
> Project: Hadoop Common
> Issue Type: Bug
> Components: common, security
> Affects Versions: 2.7.3
> Reporter: Wen Yuan Chen
>
> For the sample code below:
> public class TestKrb {
> public static void main(String[] args) throws IOException {
> String user = args[0], path = args[1];
> UserGroupInformation ugi =
> UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, path);
> System.out.println("Login successfully");
> }
> }
> When I use IBM JDK and pass a relative path for the Kerberos keytab, it will
> throw error messages. According to the debug log, it always tries to read
> the keytab from the root path. See the debug logs below:
> 2017-04-19 02:29:13,982 DEBUG
> [org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field
> org.apache.hadoop.metrics2.lib.MutableRate
> org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginSuccess with
> annotation @org.apache.hadoop.metrics2.annotation.Metric(about=,
> sampleName=Ops, always=false, type=DEFAULT, value=[Rate of successful
> kerberos logins and latency (milliseconds)], valueName=Time)
> 2017-04-19 02:29:13,990 DEBUG
> [org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field
> org.apache.hadoop.metrics2.lib.MutableRate
> org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginFailure with
> annotation @org.apache.hadoop.metrics2.annotation.Metric(about=,
> sampleName=Ops, always=false, type=DEFAULT, value=[Rate of failed kerberos
> logins and latency (milliseconds)], valueName=Time)
> 2017-04-19 02:29:13,991 DEBUG
> [org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field
> org.apache.hadoop.metrics2.lib.MutableRate
> org.apache.hadoop.security.UserGroupInformation$UgiMetrics.getGroups with
> annotation @org.apache.hadoop.metrics2.annotation.Metric(about=,
> sampleName=Ops, always=false, type=DEFAULT, value=[GetGroups], valueName=Time)
> 2017-04-19 02:29:13,992 DEBUG
> [org.apache.hadoop.metrics2.impl.MetricsSystemImpl] - UgiMetrics, User and
> group related metrics
> [KRB_DBG_CFG] Config:main: Java config file:
> /opt/ibm/java/jre/lib/security/krb5.conf
> [KRB_DBG_CFG] Config:main: Loaded from Java config
> 2017-04-19 02:29:14,175 DEBUG [org.apache.hadoop.security.Groups] - Creating
> new Groups object
> 2017-04-19 02:29:14,178 DEBUG [org.apache.hadoop.util.NativeCodeLoader] -
> Trying to load the custom-built native-hadoop library...
> 2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] -
> Failed to load native-hadoop with error: java.lang.UnsatisfiedLinkError:
> hadoop (Not found in java.library.path)
> 2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] -
> java.library.path=/opt/ibm/java/jre/lib/amd64/compressedrefs:/opt/ibm/java/jre/lib/amd64:/usr/lib64:/usr/lib
> 2017-04-19 02:29:14,179 WARN [org.apache.hadoop.util.NativeCodeLoader] -
> Unable to load native-hadoop library for your platform... using builtin-java
> classes where applicable
> 2017-04-19 02:29:14,180 DEBUG
> [org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Falling
> back to shell based
> 2017-04-19 02:29:14,180 DEBUG
> [org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Group
> mapping impl=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
> 2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.util.Shell] - setsid exited
> with exit code 0
> 2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.security.Groups] - Group
> mapping
> impl=org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback;
> cacheTimeout=300000; warningDeltaMs=5000
> IBMJGSSProvider Build-Level: -20161128
> [JGSS_DBG_CRED] main JAAS config: principal=job/analytics
> [JGSS_DBG_CRED] main JAAS config: credsType=initiate and accept
> [JGSS_DBG_CRED] main config: useDefaultCcache=false
> [JGSS_DBG_CRED] main config: useCcache=null
> [JGSS_DBG_CRED] main config: useDefaultKeytab=false
> [JGSS_DBG_CRED] main config: useKeytab=//job.keytab
> [JGSS_DBG_CRED] main JAAS config: forwardable=false (default)
> [JGSS_DBG_CRED] main JAAS config: renewable=false (default)
> [JGSS_DBG_CRED] main JAAS config: proxiable=false (default)
> [JGSS_DBG_CRED] main JAAS config: tryFirstPass=false (default)
> [JGSS_DBG_CRED] main JAAS config: useFirstPass=false (default)
> [JGSS_DBG_CRED] main JAAS config: moduleBanner=false (default)
> [JGSS_DBG_CRED] main JAAS config: interactive login? no
> [JGSS_DBG_CRED] main JAAS config: refreshKrb5Config = true
> [KRB_DBG_CFG] Config:main: Java config file:
> /opt/ibm/java/jre/lib/security/krb5.conf
> [KRB_DBG_CFG] Config:main: Loaded from Java config
> [KRB_DBG_KDC] KdcComm:main: >>> KdcAccessibility: reset
> [KRB_DBG_KDC] KdcComm:main: >>> KdcAccessibility: reset
> [JGSS_DBG_CRED] main Try keytab for principal=job/analytics
> [KRB_DBG_KTAB] KeyTab:main: >>> KeyTab: trying to load keytab file
> /job.keytab
> [KRB_DBG_KTAB] KeyTab:main: >>> KeyTab: exception /job.keytab (No such file
> or directory)
> Key for the principal job/[email protected] not available in
> //job.keytab
> [KRB_DBG_CCHE] Credentials:main: >>> Credentials: Created Credentials with
> 0 keys. Key types:
> [JGSS_DBG_CRED] main Done retrieving Kerberos creds from keytab
> [JGSS_DBG_CRED] main Retrieving Kerberos creds from cache for
> principal=job/analytics
> [JGSS_DBG_CRED] main Non-interactive login; no callbacks necessary.
> [JGSS_DBG_CRED] main No Kerberos creds in cache for principal job/analytics
> [JGSS_DBG_CRED] main Doing Kerberos login for principal
> job/[email protected]
> 2017-04-19 02:29:14,381 DEBUG
> [org.apache.hadoop.security.UserGroupInformation] - hadoop login
> Exception in thread "main" java.io.IOException: Login failure for
> job/analytics from keytab job.keytab
> at
> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1103)
> at com.TestKrb.main(TestKrb.java:10)
> Caused by: javax.security.auth.login.FailedLoginException: Null key
> at
> com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:1)
> at
> com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:355)
> at
> com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:515)
> at
> com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:411)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> at java.lang.reflect.Method.invoke(Method.java:508)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:788)
> at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:196)
> at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
> at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
> at
> java.security.AccessController.doPrivileged(AccessController.java:686)
> at
> javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:719)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:593)
> at
> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1092)
> ... 1 more
> In above log, the useKeytab=<value> entry is showing a <value> prefaced by a
> leading "//". It appears that HADOOP is adjusting the user supplied keytab
> file and most likely prefacing it with something like "FILE://", which would
> cause the resulting IBM normalized value to then be prefaced by "//" before
> the user supplied keytab file. This is the cause for why relative paths used
> with HADOOP are not working with IBM JVM's.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
