[jira] [Comment Edited] (HADOOP-13890) TestWebDelegationToken and TestKMS fails in trunk

Wed, 14 Dec 2016 08:45:31 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15748790#comment-15748790
 ] 

Xiaoyu Yao edited comment on HADOOP-13890 at 12/14/16 4:44 PM:
---------------------------------------------------------------

[~yuanbo], here is what happened in your case.

1. hostname {{localhost}} is mapped to principal {{HTTP/localhost}} during 
KerberosAuthenticationHandler.java:init.

{code}
2016-12-14 15:48:34,459 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:init(279)) - Map server: localhost to 
principal: HTTP/localhost
{code}

2. authenticate request comes in
{code}
2016-12-14 15:48:34,482 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:authenticate(400)) - SPNEGO starting for 
url: http://localhost:39910/foo/bar
{code}

3. The localhost to principal lookup somehow failed with an empty principal as 
shown below, which failed the test.
{code}
2016-12-14 15:48:34,495 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: []
{code}

The only difference is in all the pass cases the HashMap lookup successfully 
find the right principal. I can't see obvious reason why the single principle 
is not being added into the HashMap during init().  I attach a new patch with 
additional tracing. [~yuanbo], can you try it out and post the result?

{code}
2016-12-13 21:12:43,918 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: 
[HTTP/localhost]
{code}



was (Author: xyao):
[~yuanbo], here is what happened in your case.

1. hostname {{localhost}} is mapped to principal {{HTTP/localhost}} during 
KerberosAuthenticationHandler.java:init.

{code}
2016-12-14 15:48:34,459 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:init(279)) - Map server: localhost to 
principal: HTTP/localhost
{code}

2. authenticate request comes in
{code}
2016-12-14 15:48:34,482 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:authenticate(400)) - SPNEGO starting for 
url: http://localhost:39910/foo/bar
{code}

3. The localhost to principal lookup somehow failed with an empty principal as 
shown below, which failed the test.
{code}
2016-12-14 15:48:34,495 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: []
{code}

The only difference is in all the other case the HashMap lookup successfully 
find the right principal. I've attach a new patch with additional tracing. 
[~yuanbo], can you try it out and post the result?
{code}
2016-12-13 21:12:43,918 TRACE server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:run(421)) - SPNEGO with principals: 
[HTTP/localhost]
{code}


> TestWebDelegationToken and TestKMS fails in trunk
> -------------------------------------------------
>
>                 Key: HADOOP-13890
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13890
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: test
>            Reporter: Brahma Reddy Battula
>            Assignee: Xiaoyu Yao
>         Attachments: HADOOP-13890.00.patch, HADOOP-13890.01.patch, 
> HADOOP-13890.02.patch, HADOOP-13890.03.patch, HADOOP-13890.04.patch, 
> HADOOP-13890.05.patch, test-failure.txt, test_failure_1.txt
>
>
> TestWebDelegationToken, TestKMS , TestTrashWithSecureEncryptionZones and 
> TestSecureEncryptionZoneWithKMS started failing in trunk because the SPENGO 
> principle used in these test are incomplete: HTTP/localhost assuming the 
> default realm will be applied at authentication time. This ticket is opened 
> to fix these unit test with complete HTTP principal.
> {noformat}
> org.apache.hadoop.security.authentication.client.AuthenticationException: 
> org.apache.hadoop.security.authentication.client.AuthenticationException: 
> Invalid SPNEGO sequence, status code: 403
>       at 
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.readToken(KerberosAuthenticator.java:371)
>       at 
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.access$300(KerberosAuthenticator.java:53)
>       at 
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:317)
>       at 
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:287)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at javax.security.auth.Subject.doAs(Subject.java:422)
>       at 
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:287)
>       at 
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205)
>       at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
>       at 
> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
>       at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:298)
>       at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:170)
>       at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:373)
>       at 
> org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$5.call(TestWebDelegationToken.java:782)
>       at 
> org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$5.call(TestWebDelegationToken.java:779)
>       at 
> org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken$4.run(TestWebDelegationToken.java:715)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at javax.security.auth.Subject.doAs(Subject.java:422)
>       at 
> org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.doAsKerberosUser(TestWebDelegationToken.java:712)
>       at 
> org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.testKerberosDelegationTokenAuthenticator(TestWebDelegationToken.java:778)
>       at 
> org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.testKerberosDelegationTokenAuthenticator(TestWebDelegationToken.java:729)
>  {noformat}
>  *Jenkins URL* 
> https://builds.apache.org/job/hadoop-qbt-trunk-java8-linux-x86/251/testReport/
> https://builds.apache.org/job/PreCommit-HADOOP-Build/11240/testReport/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to