Niranjan Subramanian commented on HADOOP-10786:

Hey guys,

I don't see this patch (HADOOP-10786.5.patch), especially this piece of code
+  private static Class<?> KEY_TAB_CLASS = KerberosKey.class;
+  static {
+    try {
+      // We use KEY_TAB_CLASS to determine if the UGI is logged in from
+      // keytab. In JDK6 and JDK7, if useKeyTab and storeKey are specified
+      // in the Krb5LoginModule, then some number of KerberosKey objects
+      // are added to the Subject's private credentials. However, in JDK8,
+      // a KeyTab object is added instead. More details in HADOOP-10786.
+      KEY_TAB_CLASS = Class.forName("javax.security.auth.kerberos.KeyTab");
+    } catch (ClassNotFoundException cnfe) {
+      // Ignore. javax.security.auth.kerberos.KeyTab does not exist in JDK6.
+    }
+  }

-    this.isKeytab = 
+    this.isKeytab = !subject.getPrivateCredentials(KEY_TAB_CLASS).isEmpty();

applied in UserGroupInformation class of Apache Hadoop 2.7.0 or 2.7.1 or in any 
of the subsequent versions till 3.0.0. I'm not sure if above piece of code has 
been changed/moved somewhere in further/future commits.

 I've a Kerberized Hadoop cluster that uses 2.7.3 and a client that uses 2.7.0, 
my client interacts with the cluster only using HDFS FileSystem API calls and I 
expect Kerberos ticket renewable to be automatically handled by the client's 
runtime dependency. Initially login from keytab is always successful but once 
the TGT expires, client is unable to login again, it fails with this 

java.io.IOException: Failed on local exception: java.io.IOException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Failed to find any Kerberos 
tgt)]; Host Details : local host is: "hc4t03283/"; destination host 
is: "hc4t02044.itcs.nircorp.net":8020; {noformat}
How can I ascertain or at least rule out that this issue isn't caused because 
of HADOOP-10786? This is the very reason I looked at the UserGroupInformation 
class' code and I didn't find this patch applied. I'm using JDK 1.8.0_151. 

Please let me know if I'm missing something obvious here. 

> Fix UGI#reloginFromKeytab on Java 8
> -----------------------------------
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Tobi Vollebregt
>            Assignee: Stephen Chu
>            Priority: Major
>              Labels: 2.6.1-candidate
>             Fix For: 2.6.1, 2.7.0, 3.0.0-alpha1
>         Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch, 
> HADOOP-10786.3.patch, HADOOP-10786.4.patch, HADOOP-10786.5.patch, 
> HADOOP-10786.patch
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and 
> storeKey are specified, then only a KeyTab object is added to the Subject's 
> private credentials, whereas in java <= 7 both a KeyTab and some number of 
> KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by 
> looking if there are any KerberosKey objects in the Subject's private 
> credentials. If there are, then isKeyTab is set to true, and otherwise it's 
> set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI 
> implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a 
> KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java 
> 8, and works on Oracle java 7 as well.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to