[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15294171#comment-15294171
]
Lenni Kuff commented on SENTRY-1265:
+1, thanks [~sravya]!
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch,
> SENTRY-1265.5.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.thrift.transport.TTransportException: Failure to
> initialize security context
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> ... 4 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [DEBUG -
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:218)]
> failed to open server transport
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15292533#comment-15292533
]
Hadoop QA commented on SENTRY-1265:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12805071/SENTRY-1265.5.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1590/console
This message is automatically generated.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch,
> SENTRY-1265.5.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.thrift.transport.TTransportException: Failure to
> initialize security context
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15291601#comment-15291601
]
Sravya Tirukkovalur commented on SENTRY-1265:
-
Apart from test failures which I am fixing, I see "The forked VM terminated
without properly saying goodbye. VM crash or System.exit called?" Not entirely
sure what is causing that. Looking into it.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.thrift.transport.TTransportException: Failure to
> initialize security context
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> ... 4 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [DEBUG -
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290589#comment-15290589
]
Hadoop QA commented on SENTRY-1265:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12804863/SENTRY-1265.4.patch
against master.
{color:red}Overall:{color} -1 due to 5 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.generic.tools.TestSentryConfigToolSolr
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.generic.tools.TestSentryConfigToolSolr
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.generic.tools.TestSentryConfigToolSolr
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.generic.service.persistent.TestPrivilegeOperatePersistence
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1583/console
This message is automatically generated.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by:
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290482#comment-15290482
]
Hadoop QA commented on SENTRY-1265:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12804863/SENTRY-1265.4.patch
against master.
{color:red}Overall:{color} -1 due to an error
{color:red}ERROR:{color} mvn test exited 1
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1578/console
This message is automatically generated.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.thrift.transport.TTransportException: Failure to
> initialize security context
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290430#comment-15290430
]
Hadoop QA commented on SENTRY-1265:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12804859/SENTRY-1265.4.patch
against master.
{color:red}Overall:{color} -1 due to 8 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.generic.service.persistent.TestPrivilegeOperatePersistence
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceFailureCase
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1576/console
This message is automatically generated.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290240#comment-15290240
]
Hadoop QA commented on SENTRY-1265:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12804837/SENTRY-1265.3.patch
against master.
{color:red}Overall:{color} -1 due to 7 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceFailureCase
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1574/console
This message is automatically generated.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290163#comment-15290163
]
Hadoop QA commented on SENTRY-1265:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12804837/SENTRY-1265.3.patch
against master.
{color:red}Overall:{color} -1 due to 6 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1570/console
This message is automatically generated.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch,
> SENTRY-1265.2.patch, SENTRY-1265.3.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> As only TGT needs renewal, we should never run the renewThread in Sentry
> given that Sentry never is a Kerberos Client to other Kerberos Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by:
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15288826#comment-15288826
]
Sravya Tirukkovalur commented on SENTRY-1265:
-
Seems like Sentry-428 should not be needed. I am also working on a test case to
make sure client connections work even after service ticket end time. I am
hitting an issue with https://issues.apache.org/jira/browse/HADOOP-10786 (bug
in keytab based login for jdk8) which is fixed in Hadoop 2.6.1. I think it
might be best to create another jira to add a test and will attach my patch
there. We can commit it once we move to hadoop 2.6.1.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> Assuming only TGT needs renewal, we should never run the renewThread in
> Sentry given that Sentry never is a Kerberos Client to other Kerberos
> Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.thrift.transport.TTransportException: Failure to
> initialize security context
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15287437#comment-15287437
]
Hadoop QA commented on SENTRY-1265:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12804490/SENTRY-1265.0.patch
against master.
{color:red}Overall:{color} -1 due to an error
{color:red}ERROR:{color} mvn test exited 1
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1563/console
This message is automatically generated.
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> Assuming only TGT needs renewal, we should never run the renewThread in
> Sentry given that Sentry never is a Kerberos Client to other Kerberos
> Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.thrift.transport.TTransportException: Failure to
> initialize security context
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> ... 4 more
>
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[
https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15287424#comment-15287424
]
Hao Hao commented on SENTRY-1265:
-
[~sravya] Thanks a lot for providing the patch. Should we also log at
SentryService after SentryKerberosContext is initialized? Also not sure if it
is proper to disable the autorenew by default. SENTRY-428 introduced the auto
renew, probably need more investigation on why it was needed before?
> Sentry service should not require a TGT as it is not talking to other
> kerberos services as a client
> ---
>
> Key: SENTRY-1265
> URL: https://issues.apache.org/jira/browse/SENTRY-1265
> Project: Sentry
> Issue Type: Bug
>Reporter: Sravya Tirukkovalur
>Assignee: Sravya Tirukkovalur
> Attachments: SENTRY-1265.0.patch
>
>
> As part of renewThread we are logging out the subject and relogging in. This
> is causing a client request to fail if it happens in this logout -login
> window.
> Assuming only TGT needs renewal, we should never run the renewThread in
> Sentry given that Sentry never is a Kerberos Client to other Kerberos
> Services.
> Stack trace from sentry server if a client requests while server is renewing:
> {noformat}
> 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR -
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)]
> SASL negotiation failure
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113)
> at
> com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85)
> at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509)
> at
> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos credentails)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
> at
> sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96)
> ... 10 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR -
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)]
> Error occurred during processing of message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Failure to initialize security context
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.thrift.transport.TTransportException: Failure to
> initialize security context
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
> ... 4 more
> 2016-05-17 11:13:57,769 (pool-9-thread-2) [DEBUG -
>
