[jira] [Created] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration

Fri, 05 Jan 2018 08:43:24 -0800 

Kevin Minder created KNOX-1162:
----------------------------------

             Summary: Improve diagnostics for conf/krb5JAASLogin.conf 
misconfiguration
                 Key: KNOX-1162
                 URL: https://issues.apache.org/jira/browse/KNOX-1162
             Project: Apache Knox
          Issue Type: Improvement
          Components: Server
    Affects Versions: 0.14.0
            Reporter: Kevin Minder
            Priority: Minor


When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails to 
start and the information in gateway.log isn't at all helpful.  So two requests
# Logging should indicate at a minimum what file contains the issue.
# All fatal issues should log stack traces without requiring enabling debug 
logging.

This is the error shown in gateway.log
{code}
2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - 
Failed to start gateway: java.lang.SecurityException: java.io.IOException: 
Configuration Error:
        Line 7: expected [option key]
{code}

When you enabled debug logging you get somewhat better information.
{code}
2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - 
Failed to start gateway: java.lang.SecurityException: java.io.IOException: 
Configuration Error:
        Line 7: expected [option key]
java.lang.SecurityException: java.io.IOException: Configuration Error:
        Line 7: expected [option key]
        at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
        at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at javax.security.auth.login.Configuration$2.run(Configuration.java:255)
        at javax.security.auth.login.Configuration$2.run(Configuration.java:247)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
        at 
org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:52)
        at 
org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59)
        at 
org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80)
        at 
org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113)
        at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
        at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
        at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99)
        at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
        at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
Caused by: java.io.IOException: Configuration Error:
        Line 7: expected [option key]
        at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
        at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
        at 
sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477)
        at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
        at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
        at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
        at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
        ... 24 more
{code}

Lastly the particular configuration error in conf/krb5JAASLogin.conf was 
missing quotes for the keyTab and principal values.  Note, portions of the 
principal have been scrubbed and replaced with tokens (e.g. <host-name>)
{code}
com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=true
    doNotPrompt=true
    useKeyTab=true
    keyTab=/usr/hdp/current/knox-server/conf/knox.keytab
    principal=knox/<host-name>@<realm-name>
    isInitiator=true
    storeKey=true
    useTicketCache=true
    client=true;
};
{code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to