[
https://issues.apache.org/jira/browse/HADOOP-14350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16014713#comment-16014713
]
Steve Loughran commented on HADOOP-14350:
-----------------------------------------
Stack trace from example
{code}
2017-04-19 02:29:13,982 DEBUG
[org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field
org.apache.hadoop.metrics2.lib.MutableRate
org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginSuccess with
annotation @org.apache.hadoop.metrics2.annotation.Metric(about=,
sampleName=Ops, always=false, type=DEFAULT, value=[Rate of successful kerberos
logins and latency (milliseconds)], valueName=Time)
2017-04-19 02:29:13,990 DEBUG
[org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field
org.apache.hadoop.metrics2.lib.MutableRate
org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginFailure with
annotation @org.apache.hadoop.metrics2.annotation.Metric(about=,
sampleName=Ops, always=false, type=DEFAULT, value=[Rate of failed kerberos
logins and latency (milliseconds)], valueName=Time)
2017-04-19 02:29:13,991 DEBUG
[org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field
org.apache.hadoop.metrics2.lib.MutableRate
org.apache.hadoop.security.UserGroupInformation$UgiMetrics.getGroups with
annotation @org.apache.hadoop.metrics2.annotation.Metric(about=,
sampleName=Ops, always=false, type=DEFAULT, value=[GetGroups], valueName=Time)
2017-04-19 02:29:13,992 DEBUG
[org.apache.hadoop.metrics2.impl.MetricsSystemImpl] - UgiMetrics, User and
group related metrics
[KRB_DBG_CFG] Config:main: Java config file:
/opt/ibm/java/jre/lib/security/krb5.conf
[KRB_DBG_CFG] Config:main: Loaded from Java config
2017-04-19 02:29:14,175 DEBUG [org.apache.hadoop.security.Groups] - Creating
new Groups object
2017-04-19 02:29:14,178 DEBUG [org.apache.hadoop.util.NativeCodeLoader] -
Trying to load the custom-built native-hadoop library...
2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] -
Failed to load native-hadoop with error: java.lang.UnsatisfiedLinkError: hadoop
(Not found in java.library.path)
2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] -
java.library.path=/opt/ibm/java/jre/lib/amd64/compressedrefs:/opt/ibm/java/jre/lib/amd64:/usr/lib64:/usr/lib
2017-04-19 02:29:14,179 WARN [org.apache.hadoop.util.NativeCodeLoader] - Unable
to load native-hadoop library for your platform... using builtin-java classes
where applicable
2017-04-19 02:29:14,180 DEBUG
[org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Falling
back to shell based
2017-04-19 02:29:14,180 DEBUG
[org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Group
mapping impl=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.util.Shell] - setsid exited
with exit code 0
2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.security.Groups] - Group
mapping impl=org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback;
cacheTimeout=300000; warningDeltaMs=5000
IBMJGSSProvider Build-Level: -20161128
[JGSS_DBG_CRED] main JAAS config: principal=job/analytics
[JGSS_DBG_CRED] main JAAS config: credsType=initiate and accept
[JGSS_DBG_CRED] main config: useDefaultCcache=false
[JGSS_DBG_CRED] main config: useCcache=null
[JGSS_DBG_CRED] main config: useDefaultKeytab=false
[JGSS_DBG_CRED] main config: useKeytab=//job.keytab
[JGSS_DBG_CRED] main JAAS config: forwardable=false (default)
[JGSS_DBG_CRED] main JAAS config: renewable=false (default)
[JGSS_DBG_CRED] main JAAS config: proxiable=false (default)
[JGSS_DBG_CRED] main JAAS config: tryFirstPass=false (default)
[JGSS_DBG_CRED] main JAAS config: useFirstPass=false (default)
[JGSS_DBG_CRED] main JAAS config: moduleBanner=false (default)
[JGSS_DBG_CRED] main JAAS config: interactive login? no
[JGSS_DBG_CRED] main JAAS config: refreshKrb5Config = true
[KRB_DBG_CFG] Config:main: Java config file:
/opt/ibm/java/jre/lib/security/krb5.conf
[KRB_DBG_CFG] Config:main: Loaded from Java config
[KRB_DBG_KDC] KdcComm:main: >>> KdcAccessibility: reset
[KRB_DBG_KDC] KdcComm:main: >>> KdcAccessibility: reset
[JGSS_DBG_CRED] main Try keytab for principal=job/analytics
[KRB_DBG_KTAB] KeyTab:main: >>> KeyTab: trying to load keytab file /job.keytab
[KRB_DBG_KTAB] KeyTab:main: >>> KeyTab: exception /job.keytab (No such file
or directory)
Key for the principal job/[email protected] not available in
//job.keytab
[KRB_DBG_CCHE] Credentials:main: >>> Credentials: Created Credentials with 0
keys. Key types:
[JGSS_DBG_CRED] main Done retrieving Kerberos creds from keytab
[JGSS_DBG_CRED] main Retrieving Kerberos creds from cache for
principal=job/analytics
[JGSS_DBG_CRED] main Non-interactive login; no callbacks necessary.
[JGSS_DBG_CRED] main No Kerberos creds in cache for principal job/analytics
[JGSS_DBG_CRED] main Doing Kerberos login for principal
job/[email protected]
2017-04-19 02:29:14,381 DEBUG [org.apache.hadoop.security.UserGroupInformation]
- hadoop login
Exception in thread "main" java.io.IOException: Login failure for job/analytics
from keytab job.keytab
at
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1103)
at com.TestKrb.main(TestKrb.java:10)
Caused by: javax.security.auth.login.FailedLoginException: Null key
at
com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:1)
at
com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:355)
at
com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:515)
at
com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:411)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:788)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:196)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at
java.security.AccessController.doPrivileged(AccessController.java:686)
at
javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:719)
at javax.security.auth.login.LoginContext.login(LoginContext.java:593)
at
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1092)
... 1 more
{code}
> Relative path for Kerberos keytab is not working on IBM JDK
> -----------------------------------------------------------
>
> Key: HADOOP-14350
> URL: https://issues.apache.org/jira/browse/HADOOP-14350
> Project: Hadoop Common
> Issue Type: Bug
> Components: common, security
> Affects Versions: 2.7.3
> Environment: IBM JDK
> Reporter: Wen Yuan Chen
>
> For the sample code below:
> {code}
> public class TestKrb {
> public static void main(String[] args) throws IOException {
> String user = args[0], path = args[1];
> UserGroupInformation ugi =
> UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, path);
> System.out.println("Login successfully");
> }
> }
> {code}
> When I use IBM JDK and pass a relative path for the Kerberos keytab, it will
> throw error messages. According to the debug log, it always tries to read
> the keytab from the root path. See the debug logs below:
> In above log, the useKeytab=<value> entry is showing a <value> prefaced by a
> leading "//". It appears that HADOOP is adjusting the user supplied keytab
> file and most likely prefacing it with something like "FILE://", which would
> cause the resulting IBM normalized value to then be prefaced by "//" before
> the user supplied keytab file. This is the cause for why relative paths used
> with HADOOP are not working with IBM JVM's.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
