Mate Szalay-Beko created ZOOKEEPER-3715:
-------------------------------------------
Summary: Quorum Kerberos Authentication related tests fail fro new
JDK versions
Key: ZOOKEEPER-3715
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3715
Project: ZooKeeper
Issue Type: Improvement
Reporter: Mate Szalay-Beko
using OpenJDK 1.8.242 or OpenJDK 11.0.6, I got some kerberos related exceptions
when running the following, Quorum Kerberos Authentication related tests:
- QuorumKerberosAuthTest
- QuorumKerberosHostBasedAuthTest
- SaslKerberosAuthOverSSLTest
the error:
{code:bash}
2020-02-03 12:11:07,197 [myid:localhost:11223] - ERROR
[main-SendThread(localhost:11223):ZooKeeperSaslClient@336] - An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: null (5001))]) occurred when evaluating Zookeeper Quorum
Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
{code}
more detailed stack trace:
{code:bash}
Found ticket for zkclient/[email protected] to go to
krbtgt/[email protected] expiring on Tue Feb 04 13:49:14 CET 2020Found
ticket for zkclient/[email protected] to go to
krbtgt/[email protected] expiring on Tue Feb 04 13:49:14 CET 2020Entered
Krb5Context.initSecContext with state=STATE_NEWService ticket not found in the
subject>>> Credentials serviceCredsSingle: same realmUsing builtin default
etypes for default_tgs_enctypesdefault etypes for default_tgs_enctypes: 18 17
16 23.>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType>>>
CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType>>> EType:
sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType>>> KrbKdcReq send:
kdc=localhost TCP:62653, timeout=30000, number of retries =3, #bytes=586>>>
KDCCommunication: kdc=localhost TCP:62653, timeout=30000,Attempt =1,
#bytes=586>>>DEBUG: TCPClient reading 112 bytes>>> KrbKdcReq send: #bytes
read=112>>> KdcAccessibility: remove localhost:62653>>> KDCRep: init() encoding
tag is 126 req type is 13>>>KRBError: sTime is Mon Feb 03 13:49:14 CET 2020
1580734154000 suSec is 100 error code is 5001 error Message is null crealm is
EXAMPLE.COM sname is zkquorum/[email protected] msgType is 30>>>
Credentials serviceCredsSingle: same realmUsing builtin default etypes for
default_tgs_enctypesdefault etypes for default_tgs_enctypes: 18 17 16 23.>>>
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType>>> CksumType:
sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType>>> EType:
sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType>>> KrbKdcReq send:
kdc=localhost TCP:62653, timeout=30000, number of retries =3, #bytes=586>>>
KDCCommunication: kdc=localhost TCP:62653, timeout=30000,Attempt =1,
#bytes=586>>>DEBUG: TCPClient reading 112 bytes>>> KrbKdcReq send: #bytes
read=112>>> KdcAccessibility: remove localhost:62653>>> KDCRep: init() encoding
tag is 126 req type is 13>>>KRBError: sTime is Mon Feb 03 13:49:14 CET 2020
1580734154000 suSec is 100 error code is 5001 error Message is null crealm is
EXAMPLE.COM sname is zkquorum/[email protected] msgType is 30KrbException:
null (5001) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70) at
sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:226) at
sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:237) at
sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:400)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:287)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:263)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:118)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490) at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695) at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
at
org.apache.zookeeper.client.ZooKeeperSaslClient$1.run(ZooKeeperSaslClient.java:320)
at
org.apache.zookeeper.client.ZooKeeperSaslClient$1.run(ZooKeeperSaslClient.java:317)
at java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAs(Subject.java:422) at
org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:317)
at
org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:303)
at
org.apache.zookeeper.client.ZooKeeperSaslClient.sendSaslPacket(ZooKeeperSaslClient.java:366)
at
org.apache.zookeeper.client.ZooKeeperSaslClient.initialize(ZooKeeperSaslClient.java:403)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1192)Caused
by: KrbException: Identifier doesn't match expected value (906) at
sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at
sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at
sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at
sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55) ... 20 more2020-02-03
13:49:14,942 [myid:localhost:11223] - ERROR
[main-SendThread(localhost:11223):ZooKeeperSaslClient@336] - An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: null (5001))]) occurred when evaluating Zookeeper Quorum
Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
{code}
After trying this with different JDK versions, we see that the problem seems to
appear
* between OpenJDK 8.232 and 8.242 for java 8
* and between 11.0.3 and 11.0.6 for java 11
There are a lot of kerberos related changes after 8.232: see
[https://hg.openjdk.java.net/jdk8u/jdk8u/jdk]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
