[
https://issues.apache.org/jira/browse/HBASE-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14321957#comment-14321957
]
zhangduo commented on HBASE-12953:
----------------------------------
I found the problem. We need to use Subject.doAs when calling evaluateChallenge
in SaslClientHandler. Now we only use Subject.doAs when creating
SaslClientHandler.
But we need to send more packets when setup sasl connections so the problem
described in HBASE-13011 is more serious. So without HBASE-13011 the testcase
still can not pass(a user call is sent before we finish sasl setup, so
SaslServer fails because it has received a wrong response).
I can post the patch here, but I think we need to let HBASE-13011 go first.
[~stack] [~jurmous]
Thank~
> RegionServer is not functionally working with AysncRpcClient in secure mode
> ---------------------------------------------------------------------------
>
> Key: HBASE-12953
> URL: https://issues.apache.org/jira/browse/HBASE-12953
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0, 1.1.0
> Reporter: Ashish Singhi
> Assignee: stack
> Priority: Critical
> Attachments: testcase.patch
>
>
> HBase version 2.0.0
> Default value for {{hbase.rpc.client.impl}} is set to AsyncRpcClient.
> When trying to install HBase with Kerberos, RegionServer is not working
> functionally.
> The following log is logged in its log file
> {noformat}
> 2015-02-02 14:59:05,407 WARN [AsyncRpcChannel-pool1-t1]
> channel.DefaultChannelPipeline: An exceptionCaught() event was fired, and it
> reached at the tail of the pipeline. It usually means the last handler in the
> pipeline did not handle the exception.
> io.netty.channel.ChannelPipelineException:
> org.apache.hadoop.hbase.security.SaslClientHandler.handlerAdded() has thrown
> an exception; removed.
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:499)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded(DefaultChannelPipeline.java:481)
> at
> io.netty.channel.DefaultChannelPipeline.addFirst0(DefaultChannelPipeline.java:114)
> at
> io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:97)
> at
> io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:235)
> at
> io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:214)
> at
> org.apache.hadoop.hbase.ipc.AsyncRpcChannel$2.operationComplete(AsyncRpcChannel.java:194)
> at
> org.apache.hadoop.hbase.ipc.AsyncRpcChannel$2.operationComplete(AsyncRpcChannel.java:157)
> at
> io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:680)
> at
> io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:603)
> at
> io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:563)
> at
> io.netty.util.concurrent.DefaultPromise.trySuccess(DefaultPromise.java:406)
> at
> io.netty.channel.DefaultChannelPromise.trySuccess(DefaultChannelPromise.java:82)
> at
> io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:253)
> at
> io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:288)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:528)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
> at
> org.apache.hadoop.hbase.security.SaslClientHandler.handlerAdded(SaslClientHandler.java:154)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:486)
> ... 20 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt)
> at
> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
> at
> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
> at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
> at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
> {noformat}
> When set hbase.rpc.client.impl to RpcClientImpl, there seems to be no issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
