[
https://issues.apache.org/jira/browse/STORM-345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050299#comment-14050299
]
Robert Joseph Evans commented on STORM-345:
-------------------------------------------
I am getting an error when I try to actually renew the ticket.
I modified AutoTGT in the following way.
{code}
diff --git
a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
index 52bf540..a474e5d 100644
--- a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
@@ -241,7 +241,7 @@ public class AutoTGT implements IAutoCredentials,
ICredentialsRenewer {
if (tgt != null) {
long refreshTime = getRefreshTime(tgt);
long now = System.currentTimeMillis();
- if (now >= refreshTime) {
+ //if (now >= refreshTime) {
try {
LOG.info("Renewing TGT for "+tgt.getClient());
tgt.refresh();
@@ -249,19 +249,21 @@ public class AutoTGT implements IAutoCredentials,
ICredentialsRenewer {
} catch (RefreshFailedException e) {
LOG.warn("Failed to refresh TGT", e);
}
- }
+ //}
}
}
public static void main(String[] args) throws Exception {
+
AutoTGT at = new AutoTGT();
Map conf = new java.util.HashMap();
conf.put("java.security.auth.login.config", args[0]);
at.prepare(conf);
Map<String,String> creds = new java.util.HashMap<String,String>();
at.populateCredentials(creds);
- Subject s = new Subject();
- at.populateSubject(s, creds);
- LOG.info("Got a Subject "+s);
+ at.renew(creds);
+ //Subject s = new Subject();
+ //at.populateSubject(s, creds);
+ //LOG.info("Got a Subject "+s);
}
}
{code}
I then called it.
{code}
java -cp ./storm-core-0.9.2-incubating-security.jar:./storm/lib/\*
backtype.storm.security.auth.kerberos.AutoTGT jaas.conf
{code}
The contents of jaas.conf are
{code}
StormClient {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
useTicketCache=true
serviceName="storm";
};
{code}
I end up with the following error as part of the output.
{code}
294 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT
for [email protected] to topology.
313 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT
for [email protected]
452 [main] WARN backtype.storm.security.auth.kerberos.AutoTGT - Failed to
refresh TGT
javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for
client [email protected] and server krbtgt/[email protected] - Message stream
modified (41)
at
javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575)
~[na:1.7.0_17]
at
backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247)
[storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264)
[storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17]
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17]
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
~[na:1.7.0_17]
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
~[na:1.7.0_17]
at sun.security.krb5.Credentials.renew(Credentials.java:259)
~[na:1.7.0_17]
at
javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567)
~[na:1.7.0_17]
... 2 common frames omitted
{code}
Turning on debug with -Dsun.security.krb5.debug=true is not that much better
{code}
>>>KinitOptions cache name is /tmp/krb5cc_38795
>>>DEBUG <CCacheInputStream> client principal is [email protected]
>>>DEBUG <CCacheInputStream> server principal is krbtgt/[email protected]
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Wed Jul 02 16:19:06 UTC 2014
>>>DEBUG <CCacheInputStream> start time: Wed Jul 02 16:19:02 UTC 2014
>>>DEBUG <CCacheInputStream> end time: Thu Jul 03 02:19:06 UTC 2014
>>>DEBUG <CCacheInputStream> renew_till time: Wed Jul 09 16:19:02 UTC 2014
>>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
Config name: /etc/krb5.conf
297 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Pushing TGT
for [email protected] to topology.
316 [main] INFO backtype.storm.security.auth.kerberos.AutoTGT - Renewing TGT
for [email protected]
default etypes for default_tgs_enctypes: 23 16 17 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=kdc1.test.com. TCP:88, timeout=30000, number of retries
>>> =3, #bytes=1798
>>> KDCCommunication: kdc=kdc1.test.com. TCP:88, timeout=30000,Attempt =1,
>>> #bytes=1798
>>>DEBUG: TCPClient reading 1804 bytes
>>> KrbKdcReq send: #bytes read=1804
>>> KdcAccessibility: remove kdc1.test.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
453 [main] WARN backtype.storm.security.auth.kerberos.AutoTGT - Failed to
refresh TGT
javax.security.auth.RefreshFailedException: Failed to renew Kerberos Ticket for
client [email protected] and server krbtgt/[email protected] - Message stream
modified (41)
at
javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:575)
~[na:1.7.0_17]
at
backtype.storm.security.auth.kerberos.AutoTGT.renew(AutoTGT.java:247)
[storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
at backtype.storm.security.auth.kerberos.AutoTGT.main(AutoTGT.java:264)
[storm-core-0.9.2-incubating-security.jar:0.9.2-incubating-security]
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:80) ~[na:1.7.0_17]
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:88) ~[na:1.7.0_17]
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
~[na:1.7.0_17]
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
~[na:1.7.0_17]
at sun.security.krb5.Credentials.renew(Credentials.java:259)
~[na:1.7.0_17]
at
javax.security.auth.kerberos.KerberosTicket.refresh(KerberosTicket.java:567)
~[na:1.7.0_17]
... 2 common frames omitted
{code}
> (Security) AutoTGT renewal is not working
> -----------------------------------------
>
> Key: STORM-345
> URL: https://issues.apache.org/jira/browse/STORM-345
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Reporter: Robert Joseph Evans
> Assignee: Raghavendra Nandagopal
> Labels: security
>
> AutoTGT will call tgt.refresh(); to try and renew a token, but ever time we
> try to make this work the java code blows up with some very odd errors.
> Either we need to find some configurations and document them on how to make
> this work.
> Rip out the renewal code and update the documentation to explain that the
> renewal is not supported.
> Find another way to renew the TGT (Some other library)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
