[jira] [Resolved] (PHOENIX-7703) PQS HA failed in a Kerberos environment

[Istvan Toth (Jira)]

     [ 
https://issues.apache.org/jira/browse/PHOENIX-7703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth resolved PHOENIX-7703.
----------------------------------
      Assignee: Istvan Toth
    Resolution: Not A Bug

> PQS HA failed in a Kerberos environment
> ---------------------------------------
>
>                 Key: PHOENIX-7703
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7703
>             Project: Phoenix
>          Issue Type: Bug
>          Components: queryserver
>    Affects Versions: queryserver-6.0.0
>            Reporter: wenhao
>            Assignee: Istvan Toth
>            Priority: Major
>
> When I implement high availability and load balancing for multiple PQS 
> (Phoenix Query Server) instances using Nginx, it works perfectly {*}without 
> Kerberos enabled{*}. However, after Kerberos is enabled, everything functions 
> normally if Nginx and the PQS instance being ultimately accessed are on the 
> {*}same node{*}. If Nginx and the PQS instance are on {*}different nodes{*}, 
> access fails, and the PQS server reports an error: {_}"Failure unspecified at 
> GSS-API level (Mechanism level: Checksum failed)"{_}. What could be the cause 
> of this issue?
>  
> ----- 
> *detailed error message:*
> 2025-09-22 10:21:30,264 WARN 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum 
> failed)
>         at 
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
>         at 
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
>         at 
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>         at 
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
>         at 
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
>         at 
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
>         at 
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
>         at 
> org.apache.calcite.avatica.server.AvaticaSpnegoAuthenticator.validateRequest(AvaticaSpnegoAuthenticator.java:43)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:534)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
>         at 
> org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: KrbException: Checksum failed
>         at 
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
>         at 
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
>         at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
>         at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
>         at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
>         at 
> sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
>         at 
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
>         ... 25 more
> Caused by: java.security.GeneralSecurityException: Checksum failed
>         at 
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
>         at 
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
>         at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
>         at 
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
>         ... 31 more



--
This message was sent by Atlassian Jira
(v8.20.10#820010)