[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15294171#comment-15294171 ] Lenni Kuff commented on SENTRY-1265: +1, thanks [~sravya]! > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch, > SENTRY-1265.5.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.thrift.transport.TTransportException: Failure to > initialize security context > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > ... 4 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [DEBUG - > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:218)] > failed to open server transport >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15292533#comment-15292533 ] Hadoop QA commented on SENTRY-1265: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12805071/SENTRY-1265.5.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/1590/console This message is automatically generated. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch, > SENTRY-1265.5.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.thrift.transport.TTransportException: Failure to > initialize security context > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15291601#comment-15291601 ] Sravya Tirukkovalur commented on SENTRY-1265: - Apart from test failures which I am fixing, I see "The forked VM terminated without properly saying goodbye. VM crash or System.exit called?" Not entirely sure what is causing that. Looking into it. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.thrift.transport.TTransportException: Failure to > initialize security context > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > ... 4 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [DEBUG - >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290589#comment-15290589 ] Hadoop QA commented on SENTRY-1265: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12804863/SENTRY-1265.4.patch against master. {color:red}Overall:{color} -1 due to 5 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.generic.tools.TestSentryConfigToolSolr {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.generic.tools.TestSentryConfigToolSolr {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.generic.tools.TestSentryConfigToolSolr {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.generic.service.persistent.TestPrivilegeOperatePersistence Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/1583/console This message is automatically generated. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by:
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290482#comment-15290482 ] Hadoop QA commented on SENTRY-1265: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12804863/SENTRY-1265.4.patch against master. {color:red}Overall:{color} -1 due to an error {color:red}ERROR:{color} mvn test exited 1 Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/1578/console This message is automatically generated. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.thrift.transport.TTransportException: Failure to > initialize security context > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290430#comment-15290430 ] Hadoop QA commented on SENTRY-1265: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12804859/SENTRY-1265.4.patch against master. {color:red}Overall:{color} -1 due to 8 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.generic.service.persistent.TestPrivilegeOperatePersistence {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceFailureCase Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/1576/console This message is automatically generated. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch, SENTRY-1265.4.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290240#comment-15290240 ] Hadoop QA commented on SENTRY-1265: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12804837/SENTRY-1265.3.patch against master. {color:red}Overall:{color} -1 due to 7 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceFailureCase Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/1574/console This message is automatically generated. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15290163#comment-15290163 ] Hadoop QA commented on SENTRY-1265: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12804837/SENTRY-1265.3.patch against master. {color:red}Overall:{color} -1 due to 6 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/1570/console This message is automatically generated. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch, SENTRY-1265.1.patch, > SENTRY-1265.2.patch, SENTRY-1265.3.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > As only TGT needs renewal, we should never run the renewThread in Sentry > given that Sentry never is a Kerberos Client to other Kerberos Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by:
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15288826#comment-15288826 ] Sravya Tirukkovalur commented on SENTRY-1265: - Seems like Sentry-428 should not be needed. I am also working on a test case to make sure client connections work even after service ticket end time. I am hitting an issue with https://issues.apache.org/jira/browse/HADOOP-10786 (bug in keytab based login for jdk8) which is fixed in Hadoop 2.6.1. I think it might be best to create another jira to add a test and will attach my patch there. We can commit it once we move to hadoop 2.6.1. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > Assuming only TGT needs renewal, we should never run the renewThread in > Sentry given that Sentry never is a Kerberos Client to other Kerberos > Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.thrift.transport.TTransportException: Failure to > initialize security context > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15287437#comment-15287437 ] Hadoop QA commented on SENTRY-1265: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12804490/SENTRY-1265.0.patch against master. {color:red}Overall:{color} -1 due to an error {color:red}ERROR:{color} mvn test exited 1 Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/1563/console This message is automatically generated. > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > Assuming only TGT needs renewal, we should never run the renewThread in > Sentry given that Sentry never is a Kerberos Client to other Kerberos > Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.thrift.transport.TTransportException: Failure to > initialize security context > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > ... 4 more >
[jira] [Commented] (SENTRY-1265) Sentry service should not require a TGT as it is not talking to other kerberos services as a client
[ https://issues.apache.org/jira/browse/SENTRY-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15287424#comment-15287424 ] Hao Hao commented on SENTRY-1265: - [~sravya] Thanks a lot for providing the patch. Should we also log at SentryService after SentryKerberosContext is initialized? Also not sure if it is proper to disable the autorenew by default. SENTRY-428 introduced the auto renew, probably need more investigation on why it was needed before? > Sentry service should not require a TGT as it is not talking to other > kerberos services as a client > --- > > Key: SENTRY-1265 > URL: https://issues.apache.org/jira/browse/SENTRY-1265 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-1265.0.patch > > > As part of renewThread we are logging out the subject and relogging in. This > is causing a client request to fail if it happens in this logout -login > window. > Assuming only TGT needs renewal, we should never run the renewThread in > Sentry given that Sentry never is a Kerberos Client to other Kerberos > Services. > Stack trace from sentry server if a client requests while server is renewing: > {noformat} > 2016-05-17 11:13:57,768 (pool-9-thread-2) [ERROR - > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:315)] > SASL negotiation failure > javax.security.sasl.SaslException: Failure to initialize security context > [Caused by GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:113) > at > com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) > at javax.security.sasl.Sasl.createSaslServer(Sasl.java:509) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:140) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos credentails) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:89) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) > at > sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:60) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:96) > ... 10 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [ERROR - > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:296)] > Error occurred during processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Failure to initialize security context > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.thrift.transport.TTransportException: Failure to > initialize security context > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > ... 4 more > 2016-05-17 11:13:57,769 (pool-9-thread-2) [DEBUG - >