[ https://issues.apache.org/jira/browse/HADOOP-13890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15748790#comment-15748790 ]
Xiaoyu Yao edited comment on HADOOP-13890 at 12/14/16 4:44 PM: --------------------------------------------------------------- [~yuanbo], here is what happened in your case. 1. hostname {{localhost}} is mapped to principal {{HTTP/localhost}} during KerberosAuthenticationHandler.java:init. {code} 2016-12-14 15:48:34,459 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:init(279)) - Map server: localhost to principal: HTTP/localhost {code} 2. authenticate request comes in {code} 2016-12-14 15:48:34,482 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:authenticate(400)) - SPNEGO starting for url: http://localhost:39910/foo/bar {code} 3. The localhost to principal lookup somehow failed with an empty principal as shown below, which failed the test. {code} 2016-12-14 15:48:34,495 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: [] {code} The only difference is in all the pass cases the HashMap lookup successfully find the right principal. I can't see obvious reason why the single principle is not being added into the HashMap during init(). I attach a new patch with additional tracing. [~yuanbo], can you try it out and post the result? {code} 2016-12-13 21:12:43,918 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: [HTTP/localhost] {code} was (Author: xyao): [~yuanbo], here is what happened in your case. 1. hostname {{localhost}} is mapped to principal {{HTTP/localhost}} during KerberosAuthenticationHandler.java:init. {code} 2016-12-14 15:48:34,459 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:init(279)) - Map server: localhost to principal: HTTP/localhost {code} 2. authenticate request comes in {code} 2016-12-14 15:48:34,482 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:authenticate(400)) - SPNEGO starting for url: http://localhost:39910/foo/bar {code} 3. The localhost to principal lookup somehow failed with an empty principal as shown below, which failed the test. {code} 2016-12-14 15:48:34,495 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: [] {code} The only difference is in all the other case the HashMap lookup successfully find the right principal. I've attach a new patch with additional tracing. [~yuanbo], can you try it out and post the result? {code} 2016-12-13 21:12:43,918 TRACE server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: [HTTP/localhost] {code} > TestWebDelegationToken and TestKMS fails in trunk > ------------------------------------------------- > > Key: HADOOP-13890 > URL: https://issues.apache.org/jira/browse/HADOOP-13890 > Project: Hadoop Common > Issue Type: Bug > Components: test > Reporter: Brahma Reddy Battula > Assignee: Xiaoyu Yao > Attachments: HADOOP-13890.00.patch, HADOOP-13890.01.patch, > HADOOP-13890.02.patch, HADOOP-13890.03.patch, HADOOP-13890.04.patch, > HADOOP-13890.05.patch, test-failure.txt, test_failure_1.txt > > > TestWebDelegationToken, TestKMS , TestTrashWithSecureEncryptionZones and > TestSecureEncryptionZoneWithKMS started failing in trunk because the SPENGO > principle used in these test are incomplete: HTTP/localhost assuming the > default realm will be applied at authentication time. This ticket is opened > to fix these unit test with complete HTTP principal. > {noformat} > org.apache.hadoop.security.authentication.client.AuthenticationException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > Invalid SPNEGO sequence, status code: 403 > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.readToken(KerberosAuthenticator.java:371) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.access$300(KerberosAuthenticator.java:53) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:317) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:287) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:287) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132) > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:298) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:170) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:373) > at > org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$5.call(TestWebDelegationToken.java:782) > at > org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$5.call(TestWebDelegationToken.java:779) > at > org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$4.run(TestWebDelegationToken.java:715) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.doAsKerberosUser(TestWebDelegationToken.java:712) > at > org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.testKerberosDelegationTokenAuthenticator(TestWebDelegationToken.java:778) > at > org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.testKerberosDelegationTokenAuthenticator(TestWebDelegationToken.java:729) > {noformat} > *Jenkins URL* > https://builds.apache.org/job/hadoop-qbt-trunk-java8-linux-x86/251/testReport/ > https://builds.apache.org/job/PreCommit-HADOOP-Build/11240/testReport/ -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org