[jira] [Commented] (KUDU-2265) A non-leader master uses self-signed server TLS cert if it hasn't ever run as a leader

Thu, 18 Jan 2018 12:47:29 -0800 

    [ 
https://issues.apache.org/jira/browse/KUDU-2265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16331197#comment-16331197
 ] 

Alexey Serbin commented on KUDU-2265:
-------------------------------------

[~tlipcon], yes, I think that would be easier to troubleshoot.

Probably, we need to add more logging into both the C++ and the Java client 
code to describe what mechanisms are available and what mechanisms were chosen, 
and why.  And that should be printed out when negotiation fails (e.g., like 
it's done now as a trace in case of the C++ client).

> A non-leader master uses self-signed server TLS cert if it hasn't ever run as 
> a leader
> --------------------------------------------------------------------------------------
>
>                 Key: KUDU-2265
>                 URL: https://issues.apache.org/jira/browse/KUDU-2265
>             Project: Kudu
>          Issue Type: Improvement
>          Components: master, security
>    Affects Versions: 1.3.0, 1.3.1, 1.4.0, 1.6.0, 1.50
>            Reporter: Alexey Serbin
>            Priority: Major
>
> As it's currently implemented, master process replaces its auto-generated 
> self-signed server TLS certificate with CA-signed one only when it becomes a 
> leader (see {{{color:#333333}CatalogManager::InitCertAuthorityWith(){color}}} 
> method; it's invoked only from \{{CatalogManager::InitCertAuthority()}}, that 
> is invoked only from \{{CatalogManager::PrepareForLeadershipTask()}}).
>  
> In case of just one Raft election from the start (which is pretty common, 
> BTW), non-leader masters run without CA-signed server certificate for a long 
> time in case of a multi-master configuration.  That causes clients to not use 
> their authn tokens for authentication while connecting to those non-leader 
> masters.  In case of Spark applications where executors do not have Kerberos 
> credentials (the common case), application logs are polluted with messages 
> like below:
> {noformat}
> org.apache.kudu.client.NonRecoverableException: Server requires Kerberos, but 
> this client is not authenticated (kinit)
>   at org.apache.kudu.client.Negotiator.evaluateChallenge(Negotiator.java:705)
>   at org.apache.kudu.client.Negotiator.sendSaslInitiate(Negotiator.java:581)
> ...
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: No valid credentials provided (Mechanism level: Failed to find 
> any Kerberos tgt)]
>   at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211){noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to