[
https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=199497&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-199497
]
ASF GitHub Bot logged work on KNOX-1162:
----------------------------------------
Author: ASF GitHub Bot
Created on: 15/Feb/19 23:18
Start Date: 15/Feb/19 23:18
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #55: KNOX-1162 -
Logging stacktrace for FATAL messages and displaying a meaningful error message
in case of missing/non-parsable JAAS configuration
URL: https://github.com/apache/knox/pull/55
## What changes were proposed in this pull request?
When there is a misconfiguration in the supplied JAAS configuration (i.e.
`conf/krb5JAASLogin.conf`) the server fails to start and the information in
gateway.log wasn't at all helpful. To make it better the following changes have
been made:
- *all* `FATAL` messages are logged with the full stack trace
- in case the supplied JAAS configuration file does not exist or cannot be
parsed we wrap the `IOException` coming from security login configuration into
our own `ConfigurationException` with a meaningful error message
(an additional change is to fix a unit test case in `MatcherTest` to avoid
compilation error; I'm not sure how it was working before but it constantly
fails locally for me)
## How was this patch tested?
Added new unit test cases and executed them (including integration tests):
```
[INFO]
------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 18:18 min (Wall Clock)
[INFO] Finished at: 2019-02-15T23:48:43+01:00
[INFO] Final Memory: 265M/1643M
[INFO]
------------------------------------------------------------------------
```
In addition to unit testing the following manual test has been executed:
1. stopped the gateway server
2. built and deployed the new version of the gateway server (with my changes)
3. updated `/etc/knox/conf/krb5JAASLogin.conf`: removed surrounding quotes
from the `keytab` property (which is invalid)
4. tried to start the gateway. As expected it failed to start
5. checked the log file if the enhanced error message appeared:
```
2019-02-15 23:05:44,047 FATAL knox.gateway (GatewayServer.java:main(168)) -
Failed to start gateway:
org.apache.knox.gateway.services.ServiceLifecycleException: Error while
configuring registry authentication
org.apache.knox.gateway.services.ServiceLifecycleException: Error while
configuring registry authentication
at
org.apache.knox.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:81)
at
org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:79)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: org.apache.knox.gateway.config.ConfigurationException: Error
while getting secure configuration. This error usually indicates an issue
within the supplied JAAS configuration: /etc/knox/conf/krb5JAASLogin.conf
at
org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:71)
at
org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:61)
at
org.apache.knox.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:79)
... 11 more
Caused by: java.lang.SecurityException: java.io.IOException: Configuration
Error:
Line 7: expected [option key]
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at
javax.security.auth.login.Configuration$2.run(Configuration.java:255)
at
javax.security.auth.login.Configuration$2.run(Configuration.java:247)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
at
org.apache.knox.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:66)
... 13 more
Caused by: java.io.IOException: Configuration Error:
Line 7: expected [option key]
at
sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
at
sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477)
at
sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
... 24 more
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 199497)
Time Spent: 10m
Remaining Estimate: 0h
> Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
> ----------------------------------------------------------------
>
> Key: KNOX-1162
> URL: https://issues.apache.org/jira/browse/KNOX-1162
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.14.0
> Reporter: Kevin Minder
> Assignee: Sandor Molnar
> Priority: Minor
> Fix For: 1.3.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails
> to start and the information in gateway.log isn't at all helpful. So two
> requests
> # Logging should indicate at a minimum what file contains the issue.
> # All fatal issues should log stack traces without requiring enabling debug
> logging.
> This is the error shown in gateway.log
> {code}
> 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) -
> Failed to start gateway: java.lang.SecurityException: java.io.IOException:
> Configuration Error:
> Line 7: expected [option key]
> {code}
> When you enabled debug logging you get somewhat better information.
> {code}
> 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) -
> Failed to start gateway: java.lang.SecurityException: java.io.IOException:
> Configuration Error:
> Line 7: expected [option key]
> java.lang.SecurityException: java.io.IOException: Configuration Error:
> Line 7: expected [option key]
> at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
> at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at java.lang.Class.newInstance(Class.java:442)
> at
> javax.security.auth.login.Configuration$2.run(Configuration.java:255)
> at
> javax.security.auth.login.Configuration$2.run(Configuration.java:247)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
> at
> org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.<init>(RemoteConfigurationRegistryJAASConfig.java:52)
> at
> org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59)
> at
> org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80)
> at
> org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113)
> at
> org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
> at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99)
> at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
> at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
> Caused by: java.io.IOException: Configuration Error:
> Line 7: expected [option key]
> at
> sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
> at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
> at
> sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477)
> at
> sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
> at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
> at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
> at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
> ... 24 more
> {code}
> Lastly the particular configuration error in conf/krb5JAASLogin.conf was
> missing quotes for the keyTab and principal values. Note, portions of the
> principal have been scrubbed and replaced with tokens (e.g. <host-name>)
> {code}
> com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> renewTGT=true
> doNotPrompt=true
> useKeyTab=true
> keyTab=/usr/hdp/current/knox-server/conf/knox.keytab
> principal=knox/<host-name>@<realm-name>
> isInitiator=true
> storeKey=true
> useTicketCache=true
> client=true;
> };
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
