[jira] [Created] (PHOENIX-7703) PQS HA failed in a Kerberos environment

Sun, 21 Sep 2025 19:59:07 -0700 

wenhao created PHOENIX-7703:
-------------------------------

             Summary: PQS HA failed in a Kerberos environment
                 Key: PHOENIX-7703
                 URL: https://issues.apache.org/jira/browse/PHOENIX-7703
             Project: Phoenix
          Issue Type: Bug
          Components: queryserver
    Affects Versions: queryserver-6.0.0
            Reporter: wenhao


When I implement high availability and load balancing for multiple PQS (Phoenix 
Query Server) instances using Nginx, it works perfectly {*}without Kerberos 
enabled{*}. However, after Kerberos is enabled, everything functions normally 
if Nginx and the PQS instance being ultimately accessed are on the {*}same 
node{*}. If Nginx and the PQS instance are on {*}different nodes{*}, access 
fails, and the PQS server reports an error: {_}"Failure unspecified at GSS-API 
level (Mechanism level: Checksum failed)"{_}. What could be the cause of this 
issue?

 

----- 

*detailed error message:*

2025-09-22 10:21:30,264 WARN 
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum 
failed)
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at 
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
        at 
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
        at 
org.apache.calcite.avatica.server.AvaticaSpnegoAuthenticator.validateRequest(AvaticaSpnegoAuthenticator.java:43)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:534)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
        at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
        at java.lang.Thread.run(Thread.java:745)
Caused by: KrbException: Checksum failed
        at 
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
        at 
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
        at 
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        ... 25 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at 
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
        at 
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
        at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
        at 
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
        ... 31 more



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to