Re: Review Request 31304: Storm service check failed after enabling security with existing AD

Andrew Onischuk Mon, 23 Feb 2015 05:55:21 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31304/#review73561
-----------------------------------------------------------


Ship it!


I remember bugs when we had to lowecase the hostnames in principal names. I 
know it's not the scope of this jira. But look like we don't lowercase the 
hostnames that will result in bad kinit, if user has mixed cased FQNDs

- Andrew Onischuk


On Feb. 23, 2015, 1:38 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31304/
> -----------------------------------------------------------
> 
> (Updated Feb. 23, 2015, 1:38 p.m.)
> 
> 
> Review request for Ambari, Andrew Onischuk and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-9743
>     https://issues.apache.org/jira/browse/AMBARI-9743
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> On last stage, storm service check failed 
> ```
> 1017 [main] INFO  backtype.storm.StormSubmitter - Generated ZooKeeper secret 
> payload for MD5-digest: -5540876373091122649:-7113320937502691642
> 1021 [main] INFO  backtype.storm.security.auth.AuthUtils - Got AutoCreds []
> 1039 [main] WARN  org.apache.storm.curator.retry.ExponentialBackoffRetry - 
> maxRetries too large (60000). Pinning to 29
> 1043 [main] INFO  backtype.storm.utils.StormBoundedExponentialBackoffRetry - 
> The baseSleepTimeMs [2000] the maxSleepTimeMs [5] the maxRetries [60000]
> 1043 [main] WARN  backtype.storm.utils.StormBoundedExponentialBackoffRetry - 
> Misconfiguration: the baseSleepTimeMs [2000] can't be greater than the 
> maxSleepTimeMs [5].
> 1847 [main] INFO  org.apache.storm.zookeeper.Login - successfully logged in.
> Exception in thread "main" java.lang.RuntimeException: 
> javax.security.sasl.SaslException: Failure to initialize security context 
> [Caused by GSSException: Invalid name provided (Mechanism level: Illegal 
> character in realm name; one of: '/', ':', '' (600))]
>       at 
> backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:99)
>       at 
> backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
>       at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:52)
>       at 
> backtype.storm.utils.NimbusClient.getConfiguredClient(NimbusClient.java:36)
>       at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:211)
>       at backtype.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
>       at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
> Caused by: javax.security.sasl.SaslException: Failure to initialize security 
> context [Caused by GSSException: Invalid name provided (Mechanism level: 
> Illegal character in realm name; one of: '/', ':', '' (600))]
>       at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:150)
>       at 
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:63)
>       at javax.security.sasl.Sasl.createSaslClient(Sasl.java:372)
>       at 
> org.apache.thrift7.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
>       at 
> backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:127)
>       at 
> backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
>       at 
> backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
>       ... 6 more
> Caused by: GSSException: Invalid name provided (Mechanism level: Illegal 
> character in realm name; one of: '/', ':', '' (600))
>       at 
> sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127)
>       at 
> sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95)
>       at 
> sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:202)
>       at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:472)
>       at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
>       at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
>       at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:137)
>       at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:108)
>       ... 12 more
> ```
> 
> The solution is to properly strip the service name from the principal value
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/resources/common-services/STORM/0.9.1.2.1/package/scripts/params.py
>  887132d 
> 
> Diff: https://reviews.apache.org/r/31304/diff/
> 
> 
> Testing
> -------
> 
> Manually tested in cluster
> 
> Locally ran tests
> 
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time: 50.941s
> [INFO] Finished at: Mon Feb 23 08:13:41 EST 2015
> [INFO] Final Memory: 64M/1228M
> [INFO] 
> ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 31304: Storm service check failed after enabling security with existing AD

Reply via email to