[
https://issues.apache.org/jira/browse/HDFS-13520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang updated HDFS-13520:
-----------------------------------
Description:
It looks like the current fuse_dfs implementation supports login using current
kerberos credential. If the tgt expires, it fails with the following error:
{noformat}
hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://ns1, port=0,
kerbTicketCachePath=/tmp/krb5cc_2000, userName=systest) error:
LoginException: Unable to obtain Principal Name for authentication
org.apache.hadoop.security.KerberosAuthException: failure to login: for user:
systest using ticket cache file: /tmp/krb5cc_2000
javax.security.auth.login.LoginException: Unable to obtain Principal Name for
authentication
at
org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:807)
at
org.apache.hadoop.security.UserGroupInformation.getBestUGI(UserGroupInformation.java:742)
at org.apache.hadoop.fs.FileSystem.newInstance(FileSystem.java:404)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal
Name for authentication
at
com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:788)
... 2 more
{noformat}
This is reproducible easily in a test cluster with an extremely short ticket
life time (e.g. 1 minute)
Note: HDFS-3608 addresses a similar issue, but in this case, since the ticket
cache file itself does not change, fuse couldn't detect & update.
It looks like it should call UserGroupInformation#loginFromKeytab() in the
beginning, similar to how balancer supports keytab based login (HDFS-9804).
Thanks [~xiaochen] for the idea.
A quick workaround would have a crontab job that periodically renew the
kerberos ticket with a keytab, say every 8 hours.
was:
It looks like the current fuse_dfs implementation supports login using current
kerberos credential. If the tgt expires, it fails with the following error:
{noformat}
hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://ns1, port=0,
kerbTicketCachePath=/tmp/krb5cc_2000, userName=systest) error:
LoginException: Unable to obtain Principal Name for authentication
org.apache.hadoop.security.KerberosAuthException: failure to login: for user:
systest using ticket cache file: /tmp/krb5cc_2000
javax.security.auth.login.LoginException: Unable to obtain Principal Name for
authentication
at
org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:807)
at
org.apache.hadoop.security.UserGroupInformation.getBestUGI(UserGroupInformation.java:742)
at org.apache.hadoop.fs.FileSystem.newInstance(FileSystem.java:404)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal
Name for authentication
at
com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:788)
... 2 more
{noformat}
This is reproducible easily in a test cluster with an extremely short ticket
life time (e.g. 1 minute)
Note: HDFS-3608 addresses a similar issue, but in this case, since the ticket
cache file itself does not change, fuse couldn't detect & update.
It looks like it should call UserGroupInformation#loginFromKeytab() in the
beginning, similar to how balancer supports keytab based login (HDFS-9804).
Thanks [~xiaochen] for the idea.
Or alternatively, have a background process that continuously relogin from
keytab.
> fuse_dfs to support keytab based login
> --------------------------------------
>
> Key: HDFS-13520
> URL: https://issues.apache.org/jira/browse/HDFS-13520
> Project: Hadoop HDFS
> Issue Type: Improvement
> Affects Versions: 2.6.0
> Environment: Hadoop 2.6/3.0, Kerberized, fuse_dfs
> Reporter: Wei-Chiu Chuang
> Priority: Major
>
> It looks like the current fuse_dfs implementation supports login using
> current kerberos credential. If the tgt expires, it fails with the following
> error:
> {noformat}
> hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://ns1, port=0,
> kerbTicketCachePath=/tmp/krb5cc_2000, userName=systest) error:
> LoginException: Unable to obtain Principal Name for authentication
> org.apache.hadoop.security.KerberosAuthException: failure to login: for user:
> systest using ticket cache file: /tmp/krb5cc_2000
> javax.security.auth.login.LoginException: Unable to obtain Principal Name for
> authentication
> at
> org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:807)
> at
> org.apache.hadoop.security.UserGroupInformation.getBestUGI(UserGroupInformation.java:742)
> at org.apache.hadoop.fs.FileSystem.newInstance(FileSystem.java:404)
> Caused by: javax.security.auth.login.LoginException: Unable to obtain
> Principal Name for authentication
> at
> com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
> at
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at
> org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:788)
> ... 2 more
> {noformat}
> This is reproducible easily in a test cluster with an extremely short ticket
> life time (e.g. 1 minute)
> Note: HDFS-3608 addresses a similar issue, but in this case, since the ticket
> cache file itself does not change, fuse couldn't detect & update.
> It looks like it should call UserGroupInformation#loginFromKeytab() in the
> beginning, similar to how balancer supports keytab based login (HDFS-9804).
> Thanks [~xiaochen] for the idea.
> A quick workaround would have a crontab job that periodically renew the
> kerberos ticket with a keytab, say every 8 hours.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
