[jira] [Commented] (HADOOP-15123) KDiag tries to load krb5.conf from KRB5CCNAME instead of KRB5_CONFIG

Vipin Rathor (JIRA) Sat, 16 Dec 2017 21:11:38 -0800

    [ 
https://issues.apache.org/jira/browse/HADOOP-15123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16294007#comment-16294007
 ]


Vipin Rathor commented on HADOOP-15123:
---------------------------------------

Thanks [[email protected]] for the review comments. Updated patch with 
improved indentation.
Regarding credential cache location, currently KDiag does print KRB5CCNAME 
along with other important env. variables. We can take it to next level by 
validating and dumping the content in another patch.

*Manual Testing results:*
*Before fix:*
1. Error in printing content of krb5.conf with curly braces "\{" symbol: 
(problem was not with hash as I mentioned in first comment)
{code:java}
# ./bin/hadoop org.apache.hadoop.security.KDiag
...
...
== Locating Kerberos configuration file ==

Kerberos configuration file = /etc/krb5.conf

[libdefaults]
 renew_lifetime = 7d
 forwardable = true
 default_realm = MYREALM
 ticket_lifetime = 24h
 dns_lookup_realm = false
 dns_lookup_kdc = false
2017-12-17 04:43:28,767 ERROR security.KDiag: 
java.util.UnknownFormatConversionException: Conversion = '{'
java.util.UnknownFormatConversionException: Conversion = '{'
        at java.util.Formatter.checkText(Formatter.java:2579)
        at java.util.Formatter.parse(Formatter.java:2565)
        at java.util.Formatter.format(Formatter.java:2501)
        at java.util.Formatter.format(Formatter.java:2455)
        at java.lang.String.format(String.java:2940)
        at org.apache.hadoop.security.KDiag.println(KDiag.java:849)
        at org.apache.hadoop.security.KDiag.dump(KDiag.java:922)
        at org.apache.hadoop.security.KDiag.validateKrb5File(KDiag.java:578)
        at org.apache.hadoop.security.KDiag.execute(KDiag.java:378)
        at org.apache.hadoop.security.KDiag.run(KDiag.java:236)
        at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
        at org.apache.hadoop.security.KDiag.exec(KDiag.java:1047)
        at org.apache.hadoop.security.KDiag.main(KDiag.java:1057)
2017-12-17 04:43:28,773 INFO util.ExitUtil: Halt with status -1: 
java.util.UnknownFormatConversionException: Conversion = '{'
{code}

2. KDiag picks up credential cache location instead of krb.conf location from 
environment & doesn't print KRB5_CONFIG env. variable.
{code:java}
# export KRB5CCNAME=/tmp/krb5cc_1001
# export KRB5_CONFIG=/etc/krb5.conf.copy
# ./bin/hadoop org.apache.hadoop.security.KDiag

== Environment Variables ==

HADOOP_JAAS_DEBUG = "(unset)"
KRB5CCNAME = "/tmp/krb5cc_1001"
HADOOP_USER_NAME = "(unset)"
...
...
== Locating Kerberos configuration file ==

Setting kerberos path from environment variable KRB5CCNAME: "/tmp/krb5cc_1001"
Kerberos configuration file = /tmp/krb5cc_1001
...
...
{code}

*After Fix:*
1. krb5.conf lines with "\{" can now be processed by KDiag.
2. KDiag prints KRB5_CONFIG and use that instead of KRB5CCNAME to locate 
krb5.conf.
{code:java}
# export KRB5CCNAME=/tmp/krb5cc_1001
# export KRB5_CONFIG=/etc/krb5.conf.copy
# ./bin/hadoop org.apache.hadoop.security.KDiag
...
...
== Environment Variables ==

HADOOP_JAAS_DEBUG = "(unset)"
KRB5CCNAME = "/tmp/krb5cc_1001"
KRB5_CONFIG = "/etc/krb5.conf.copy"
...
...
== Locating Kerberos configuration file ==

Setting kerberos path from environment variable KRB5_CONFIG: 
"/etc/krb5.conf.copy"
Kerberos configuration file = /etc/krb5.conf.copy

[libdefaults]
 renew_lifetime = 7d
 forwardable = true
 default_realm = MYREALM
 ticket_lifetime = 24h
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_ccache_name = /tmp/krb5cc_%{uid}
 #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
 ...
 ...
{code}


> KDiag tries to load krb5.conf from KRB5CCNAME instead of KRB5_CONFIG
> --------------------------------------------------------------------
>
>                 Key: HADOOP-15123
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15123
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Vipin Rathor
>            Priority: Minor
>         Attachments: HADOOP-15123.0001.patch, HADOOP-15123.0002.patch
>
>
> If Kerberos credential cache file location is overridden in environment, then 
> KDiag tries to read its value for Kerberos configuration. For example,
> {code:java}
> # export KRB5CCNAME=/tmp/krb5cc_1001
> # hadoop org.apache.hadoop.security.KDiag
> ...
> ...
> == Locating Kerberos configuration file ==
> Setting kerberos path from environment variable KRB5CCNAME: "/tmp/krb5cc_1001"
> Kerberos configuration file = /tmp/krb5cc_1001
> 17/12/16 04:06:19 ERROR security.KDiag: 
> java.util.UnknownFormatConversionException: Conversion = '�'
> java.util.UnknownFormatConversionException: Conversion = '�'
> {code}
> Expected Behavior:
> 1. Kerberos configuration file location should be read from KRB5_CONFIG env. 
> variable instead of KRB5CCNAME. Source: [MIT KRB5 
> doc|https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HADOOP-15123) KDiag tries to load krb5.conf from KRB5CCNAME instead of KRB5_CONFIG

Reply via email to