[
https://issues.apache.org/jira/browse/HADOOP-9969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14906333#comment-14906333
]
Xinwei Qin commented on HADOOP-9969:
-------------------------------------
Hi, [~crystal_gaoyu], [~daryn],
This bug still exists with IBM JDK7, but will not happen with Oracle JDK. The
exceptions thrown by IBM JDK and Oracle JDK are different:
IBM JDK (*Failure to initialize security context [Caused by
org.ietf.jgss.GSSException*):
{code}
2015-06-01 17:55:40,448 DEBUG security.SaslRpcClient
(SaslRpcClient.java:createSaslClient(247)) - Creating SASL GSSAPI(KERBEROS)
client to authenticate to service at hadoop.hadoop.com
2015-06-01 17:55:40,470 DEBUG security.UserGroupInformation
(UserGroupInformation.java:doAs(1645)) - PrivilegedActionException
as:[email protected] (auth:KERBEROS) cause:javax.security.sasl.SaslException:
Failure to initialize security context [Caused by org.ietf.jgss.GSSException,
major code: 8, minor code: 0
major string: Credential expired
minor string: Kerberos credential has expired]
2015-06-01 17:55:40,472 DEBUG security.UserGroupInformation
(UserGroupInformation.java:logPrivilegedAction(1665)) - PrivilegedAction
as:[email protected] (auth:KERBEROS)
from:org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:654)
2015-06-01 17:55:40,472 DEBUG ipc.Client
(Client.java:shouldAuthenticateOverKrb(551)) - this.authMethod !=
SaslRpcServer.AuthMethod.KERBEROS
2015-06-01 17:55:40,473 WARN ipc.Client (Client.java:run(686)) - Exception
encountered while connecting to the server :
{color:red}javax.security.sasl.SaslException: Failure to initialize security
context [Caused by org.ietf.jgss.GSSException{color}, major code: 8, minor
code: 0
major string: Credential expired
minor string: Kerberos credential has expired]]
{code}
Oracle JDK (*GSS initiate failed [Caused by GSSException: No valid credentials
provided*):
{code}
2015-06-01 18:31:24,441 DEBUG [main]: PrivilegedActionException
as:[email protected] (auth:KERBEROS) cause:javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
org.apache.hadoop.security.UserGroupInformation(1645)
2015-06-01 18:31:24,442 DEBUG [main]: PrivilegedAction as:[email protected]
(auth:KERBEROS)
from:org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:654)
org.apache.hadoop.security.UserGroupInformation(1665)
2015-06-01 18:31:24,442 DEBUG [main]: this.authMethod == AuthMethod.KERBEROS
org.apache.hadoop.ipc.Client(535)
{code}
The reason is:
when TGT expired, {{javax.security.sasl.Sasl#createSaslClient()}} of IBM JDK
will throw {{SaslException}}, but the method of Oracle JDK will not. The
{{SaslException}} was thrown by {{saslClient#evaluateChallenge()}} with Oracle
JDK. So, the client can handle the failure with Oracle JDK but cannot with IBM
JDK.
I am confused with the reason why the exceptions are different between IBM JDK
and Oracle JDK. Any thought about it? Can we make
{{javax.security.sasl.Sasl#createSaslClient()}} of IBM JDK return success?
The HADOOP-9969.patch can fix this bug, but also has some other side-effects.
> TGT expiration doesn't trigger Kerberos relogin
> -----------------------------------------------
>
> Key: HADOOP-9969
> URL: https://issues.apache.org/jira/browse/HADOOP-9969
> Project: Hadoop Common
> Issue Type: Bug
> Components: ipc, security
> Affects Versions: 2.1.0-beta
> Reporter: Yu Gao
> Attachments: HADOOP-9969.patch, JobTracker.log
>
>
> In HADOOP-9698 & HADOOP-9850, RPC client and Sasl client have been changed to
> respect the auth method advertised from server, instead of blindly attempting
> the configured one at client side. However, when TGT has expired, an
> exception will be thrown from SaslRpcClient#createSaslClient(SaslAuth
> authType), and at this time the authMethod still holds the initial value
> which is SIMPLE and never has a chance to be updated with the expected one
> requested by server, so kerberos relogin will not happen.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)