[jira] Commented: (HADOOP-6947) Kerberos relogin should set refreshKrb5Config to true

[Todd Lipcon (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-6947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12907517#action_12907517
 ] 

Todd Lipcon commented on HADOOP-6947:
-------------------------------------

There is no automatic test capability for keytab logins, so I wrote a manual 
test that can be run in a kerberized environment. The test takes as arguments 
the paths and principals for two separate keytabs and tries to login as each in 
turn and verify the resulting UGI.

Without the refreshKrb5Config option, it fails with this error:
{noformat}
[t...@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop 
org.apache.hadoop.security.ManualTestKeytabLogins 
hbase/r...@minotaur.cloudera.com 
~/haus-cluster/hbase-minotaur-security/rs.keytab  
hbase/mas...@minotaur.cloudera.com 
~/haus-cluster/hbase-minotaur-security/master.keytab 
UGI 1 = hbase/r...@minotaur.cloudera.com
Exception in thread "main" java.io.IOException: Login failure for 
hbase/mas...@minotaur.cloudera.com from keytab 
/home/todd/haus-cluster/hbase-minotaur-security/master.keytab
        at 
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:681)
        at 
org.apache.hadoop.security.ManualTestKeytabLogins.main(ManualTestKeytabLogins.java:49)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password 
from user

        at 
com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)
{noformat}

With the fix:
{noformat}
[t...@minotaur01 hadoop]$ HADOOP_CLASSPATH=build/test/classes/ ./bin/hadoop 
org.apache.hadoop.security.ManualTestKeytabLogins 
hbase/r...@minotaur.cloudera.com 
~/haus-cluster/hbase-minotaur-security/rs.keytab  
hbase/mas...@minotaur.cloudera.com 
~/haus-cluster/hbase-minotaur-security/master.keytab 
UGI 1 = hbase/r...@minotaur.cloudera.com
UGI 2 = hbase/mas...@minotaur.cloudera.com
{noformat}

> Kerberos relogin should set refreshKrb5Config to true
> -----------------------------------------------------
>
>                 Key: HADOOP-6947
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6947
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.22.0
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>
> In working on securing a daemon that uses two different principals from 
> different threads, I found that I wasn't able to login from a second keytab 
> after I'd logged in from the first. This is because we don't set the 
> refreshKrb5Config in the Configuration for the Krb5LoginModule - hence it 
> won't switch over to the correct keytab file if it's different than the first.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.