[jira] [Commented] (HADOOP-11754) RM fails to start in non-secure mode due to authentication filter failure

Zhijie Shen (JIRA) Fri, 27 Mar 2015 13:16:54 -0700

    [ 
https://issues.apache.org/jira/browse/HADOOP-11754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14384532#comment-14384532
 ]


Zhijie Shen commented on HADOOP-11754:
--------------------------------------

Before 2.7:

* {{AuthenticationFilterInitializer}}, {{RMAuthenticationFilterInitializer}} 
and {{TimelineAuthenticationFilterInitializer}} read the secret file, but 
behave a bit different. {{FileSignerSecretProvider}} seems to choose the 
behavior of {{RMAuthenticationFilterInitializer}}. However, unlike 
{{RMAuthenticationFilterInitializer}}, {{AuthenticationFilterInitializer}} 
doesn't allow null secret file path, while 
{{TimelineAuthenticationFilterInitializer}} DOESN'T have default secret file 
path.

* {{AuthenticationFilter}} check it customized secret exists (no matter it 
comes from secret file or directly put in the configuration) or not to decide 
failback to random secret no matter {{AuthenticationFilter}} is used in secure 
mode (Kerberos handler) or in insecure mode (Pseudo handler).

After these changes in 2.7.

* {{RMAuthenticationFilterInitializer}}'s behavior is chosen as the standard.

* {{AuthenticationFilter}} no longer accepts secret that is put inside the 
configuration file. It may not be the best practice, but it's a valid scenario 
before. {{AuthenticationFilter}} also forces the user to have the secret file 
in secure mode, and it's not able to failback to random secret.

Talking about timeline server specifically, in the case of starting timeline 
server in secure mode with the default secret config, the following logic will 
happen:

1. It tries to read the secret file, but it doesn't exists.
2. It checks and finds it's a secure mode, and throws the exception, and 
consequently timeline server fails to start.

bq.  think it is a separate issue and we can look at it in a separate jira.

I'm afraid it's not a separate issue. This change is going to break the 
timeline server secure deployment.

> RM fails to start in non-secure mode due to authentication filter failure
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-11754
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11754
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.7.0
>            Reporter: Sangjin Lee
>            Assignee: Haohui Mai
>            Priority: Blocker
>         Attachments: HADOOP-11754-v1.patch, HADOOP-11754-v2.patch, 
> HADOOP-11754.000.patch, HADOOP-11754.001.patch
>
>
> RM fails to start in the non-secure mode with the following exception:
> {noformat}
> 2015-03-25 22:02:42,526 WARN org.mortbay.log: failed RMAuthenticationFilter: 
> javax.servlet.ServletException: java.lang.RuntimeException: Could not read 
> signature secret file: /Users/sjlee/hadoop-http-auth-signature-secret
> 2015-03-25 22:02:42,526 WARN org.mortbay.log: Failed startup of context 
> org.mortbay.jetty.webapp.WebAppContext@6de50b08{/,jar:file:/Users/sjlee/hadoop-3.0.0-SNAPSHOT/share/hadoop/yarn/hadoop-yarn-common-3.0.0-SNAPSHOT.jar!/webapps/cluster}
> javax.servlet.ServletException: java.lang.RuntimeException: Could not read 
> signature secret file: /Users/sjlee/hadoop-http-auth-signature-secret
>       at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeSecretProvider(AuthenticationFilter.java:266)
>       at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:225)
>       at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.init(DelegationTokenAuthenticationFilter.java:161)
>       at 
> org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter.init(RMAuthenticationFilter.java:53)
>       at org.mortbay.jetty.servlet.FilterHolder.doStart(FilterHolder.java:97)
>       at 
> org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
>       at 
> org.mortbay.jetty.servlet.ServletHandler.initialize(ServletHandler.java:713)
>       at org.mortbay.jetty.servlet.Context.startContext(Context.java:140)
>       at 
> org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1282)
>       at 
> org.mortbay.jetty.handler.ContextHandler.doStart(ContextHandler.java:518)
>       at 
> org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:499)
>       at 
> org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
>       at 
> org.mortbay.jetty.handler.HandlerCollection.doStart(HandlerCollection.java:152)
>       at 
> org.mortbay.jetty.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:156)
>       at 
> org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
>       at 
> org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130)
>       at org.mortbay.jetty.Server.doStart(Server.java:224)
>       at 
> org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
>       at org.apache.hadoop.http.HttpServer2.start(HttpServer2.java:773)
>       at org.apache.hadoop.yarn.webapp.WebApps$Builder.start(WebApps.java:274)
>       at 
> org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.startWepApp(ResourceManager.java:974)
>       at 
> org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(ResourceManager.java:1074)
>       at 
> org.apache.hadoop.service.AbstractService.start(AbstractService.java:193)
>       at 
> org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(ResourceManager.java:1208)
> Caused by: java.lang.RuntimeException: Could not read signature secret file: 
> /Users/sjlee/hadoop-http-auth-signature-secret
>       at 
> org.apache.hadoop.security.authentication.util.FileSignerSecretProvider.init(FileSignerSecretProvider.java:59)
>       at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeSecretProvider(AuthenticationFilter.java:264)
>       ... 23 more
> ...
> 2015-03-25 22:02:42,538 FATAL 
> org.apache.hadoop.yarn.server.resourcemanager.ResourceManager: Error starting 
> ResourceManager
> org.apache.hadoop.yarn.webapp.WebAppException: Error starting http server
>       at org.apache.hadoop.yarn.webapp.WebApps$Builder.start(WebApps.java:279)
>       at 
> org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.startWepApp(ResourceManager.java:974)
>       at 
> org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(ResourceManager.java:1074)
>       at 
> org.apache.hadoop.service.AbstractService.start(AbstractService.java:193)
>       at 
> org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(ResourceManager.java:1208)
> Caused by: java.io.IOException: Problem in starting http server. Server 
> handlers failed
>       at org.apache.hadoop.http.HttpServer2.start(HttpServer2.java:785)
>       at org.apache.hadoop.yarn.webapp.WebApps$Builder.start(WebApps.java:274)
>       ... 4 more
> {noformat}
> This is likely a regression introduced by HADOOP-10670.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HADOOP-11754) RM fails to start in non-secure mode due to authentication filter failure

Reply via email to