[jira] [Commented] (HADOOP-16283) Error in reading Kerberos principals from the Keytab file

Wed, 01 May 2019 06:36:28 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16831001#comment-16831001
 ] 

Kihwal Lee commented on HADOOP-16283:
-------------------------------------

Thanks for the analysis.  It looks like branch-3.x and trunk are at kerby 1.0.1 
and we will need to move to 1.1.2 when it is released.

> Error in reading Kerberos principals from the Keytab file
> ---------------------------------------------------------
>
>                 Key: HADOOP-16283
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16283
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Farhan Khan
>            Priority: Major
>
> The error refers to the launching of Namenode daemon when Kerberos is used 
> for authentication. While reading Spnego principals (HTTP/.*) from the keytab 
> file to start the Jetty server, KerberosUtil throws an error:
> {code:java}
> javax.servlet.ServletException: java.io.IOException: Unexpected octets len: 
> 16716
>     at 
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:188)
>     at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeAuthHandler(AuthenticationFilter.java:194)
>     at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:180)
>     at 
> org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:139)
>     at 
> org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:873)
>     at 
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:349)
>     at 
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1406)
>     at 
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1368)
>     at 
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:778)
>     at 
> org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
>     at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:522)
>     at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>     at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
>     at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
>     at 
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
>     at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>     at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
>     at org.eclipse.jetty.server.Server.start(Server.java:427)
>     at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
>     at 
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
>     at org.eclipse.jetty.server.Server.doStart(Server.java:394)
>     at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>     at org.apache.hadoop.http.HttpServer2.start(HttpServer2.java:1140)
>     at 
> org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer.start(NameNodeHttpServer.java:177)
>     at 
> org.apache.hadoop.hdfs.server.namenode.NameNode.startHttpServer(NameNode.java:872)
>     at 
> org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:694)
>     at 
> org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:940)
>     at 
> org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:913)
>     at 
> org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1646)
>     at 
> org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1713)
> Caused by: java.io.IOException: Unexpected octets len: 16716
>     at 
> org.apache.kerby.kerberos.kerb.KrbInputStream.readCountedOctets(KrbInputStream.java:72)
>     at 
> org.apache.kerby.kerberos.kerb.KrbInputStream.readKey(KrbInputStream.java:48)
>     at 
> org.apache.kerby.kerberos.kerb.keytab.KeytabEntry.load(KeytabEntry.java:55)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.readEntry(Keytab.java:203)
>     at 
> org.apache.kerby.kerberos.kerb.keytab.Keytab.readEntries(Keytab.java:189)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.doLoad(Keytab.java:161)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.load(Keytab.java:155)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.load(Keytab.java:143)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.loadKeytab(Keytab.java:55)
>     at 
> org.apache.hadoop.security.authentication.util.KerberosUtil.getPrincipalNames(KerberosUtil.java:225)
>     at 
> org.apache.hadoop.security.authentication.util.KerberosUtil.getPrincipalNames(KerberosUtil.java:244)
>     at 
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:152)
>     ... 29 more
> {code}
>   The main problem is with reading of keytab file generated by heimdal-kdc 
> version 7.5.0. Keytab class of package org.apache.kerby.kerberos.kerb.keytab 
> deals with reading entries from keytab file. 
> This is the format of a keytab file. 
> {code:java}
> keytab {
>       uint16_t file_format_version;                    # 0x502
>       keytab_entry entries[*];
>   };
>   keytab_entry {
>       int32_t size;
>       uint16_t num_components;   # subtract 1 if version 0x501
>       counted_octet_string realm;
>       counted_octet_string components[num_components];
>       uint32_t name_type;       # not present if version 0x501
>       uint32_t timestamp;
>       uint8_t vno8;
>       keyblock key;
>       uint32_t vno; #only present if >= 4 bytes left in entry
>       uint32_t flags; #only present if >= 4 bytes left in entry
>   };
>   counted_octet_string {
>       uint16_t length;
>       uint8_t data[length];
>   };
>   keyblock {
>       uint16_t type;
>       counted_octet_string;
>   };
> {code}
> First field of keytab_entry is the size of this entry in bytes. This field 
> itself is of four bytes. But, it contains the number of bytes of rest of the 
> fields. Keytab class tries to calculate number of bytes read in every entry. 
> The mistake is that it includes the (number of bytes of) first field in the 
> calculation of total number of bytes read for a single entry. This leads to 
> misinterpretation of successive entries in the keytab file. Hence, Unexpected 
> Octet len error is thrown.
> I have raised an issue with apache/directory-kerby: 
> https://issues.apache.org/jira/browse/DIRKRB-734.
> There is a PR also addressing this issue: 
> [https://github.com/apache/directory-kerby/pull/44]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to