[
https://issues.apache.org/jira/browse/PHOENIX-5393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16897454#comment-16897454
]
Swaroopa Kadam commented on PHOENIX-5393:
-----------------------------------------
[~elserj] We are seeing following test failures on 4.14 which is blocking
4.14.3 patch release. Do you know if this could fix the failure? If yes, could
you provide a patch for 4.14? Thank you.
{code:java}
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:
0.003 s <<< FAILURE! - in org.apache.phoenix.end2end.SecureQueryServerIT
[ERROR] org.apache.phoenix.end2end.SecureQueryServerIT Time elapsed: 0.003
s <<< ERROR!
java.io.IOException: failure to login
at
org.apache.phoenix.end2end.SecureQueryServerIT.setUp(SecureQueryServerIT.java:230)
Caused by: javax.security.auth.login.LoginException:
java.lang.IllegalArgumentException: Illegal principal name [principal name
was listed here]:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
No rules applied to [principal name was listed here]
at
org.apache.phoenix.end2end.SecureQueryServerIT.setUp(SecureQueryServerIT.java:230)
Caused by: java.lang.IllegalArgumentException: Illegal principal
name [principal name was listed
here] rg.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
No rules applied to [principal name was listed here]
at
org.apache.phoenix.end2end.SecureQueryServerIT.setUp(SecureQueryServerIT.java:230)
Caused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
No rules applied to [principal name was listed here]
at
org.apache.phoenix.end2end.SecureQueryServerIT.setUp(SecureQueryServerIT.java:230)
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:
0.004 s <<< FAILURE! - in
org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT
[ERROR] org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT
Time elapsed: 0.003 s <<< ERROR!
java.io.IOException: failure to login
at
org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT.setUp(HttpParamImpersonationQueryServerIT.java:253)
Caused by: javax.security.auth.login.LoginException:
java.lang.IllegalArgumentException: Illegal principal name [principal name
was listed here]
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
No rules applied to [principal name was listed here]
at
org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT.setUp(HttpParamImpersonationQueryServerIT.java:253)
Caused by: java.lang.IllegalArgumentException: Illegal principal
name [principal name was listed here]
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
No rules applied to [principal name was listed here]
at
org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT.setUp(HttpParamImpersonationQueryServerIT.java:253)
Caused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
No rules applied to [principal name was listed here]
at
org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT.setUp(HttpParamImpersonationQueryServerIT.java:253)
{code}
> Perform _HOST principal expansion for SPENGO QueryServer principal
> ------------------------------------------------------------------
>
> Key: PHOENIX-5393
> URL: https://issues.apache.org/jira/browse/PHOENIX-5393
> Project: Phoenix
> Issue Type: Improvement
> Reporter: István Tóth
> Assignee: Josh Elser
> Priority: Major
> Fix For: queryserver-1.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> [~stoty] found that we aren't doing {{_HOST}} expansion for PQS. We naturally
> get this for the principal we use to talk to HBase (by virtue of using
> SecurityUtil/UGI to log in). However, for SPNEGO, we're using the Avatica API
> to do this, so it doesn't do this "Hadoop-ism" for us.
> We can use SecurityUtil to do it ourselves and then pass the correct hostname
> into the Avatica {{HttpServer.Builder}} API.
> The error you get when {{_HOST}} is set is pretty obtuse on the server-side,
> including to help the poor soul who ventures here with a similar error.
> {noformat}
> 2019-07-17 08:48:03,383 WARN
> org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid
> argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES3
> CBC mode with SHA1-KD){noformat}
> We identified the problem by seeing, in {{-Dsun.security.spnego.debug=true
> -Dsun.security.krb5.debug=true}} output, the following:
> {noformat}
> Looking for keys for: HTTP/[email protected]{noformat}
> At this point in the call, we should have had an expanded "instance" in the
> principal.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
