[jira] [Created] (HADOOP-14350) Relative path for Kerberos keytab is not working on IBM JDK

Mon, 24 Apr 2017 20:26:43 -0700 

Wen Yuan Chen created HADOOP-14350:
--------------------------------------

             Summary: Relative path for Kerberos keytab is not working on IBM 
JDK
                 Key: HADOOP-14350
                 URL: https://issues.apache.org/jira/browse/HADOOP-14350
             Project: Hadoop Common
          Issue Type: Bug
          Components: common, security
    Affects Versions: 2.7.3
            Reporter: Wen Yuan Chen
            Priority: Blocker


For the sample code below:

public class TestKrb {
  public static void main(String[] args) throws IOException {
    String user = args[0], path = args[1];
    UserGroupInformation ugi = 
UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, path);
    System.out.println("Login successfully");
  }
}

When I use IBM JDK and pass a relative path for the Kerberos keytab, it will 
throw error messages.  According to the debug log, it always tries to read the 
keytab from the root path.  See the debug logs below:


2017-04-19 02:29:13,982 DEBUG 
[org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field 
org.apache.hadoop.metrics2.lib.MutableRate 
org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginSuccess with 
annotation @org.apache.hadoop.metrics2.annotation.Metric(about=, 
sampleName=Ops, always=false, type=DEFAULT, value=[Rate of successful kerberos 
logins and latency (milliseconds)], valueName=Time)
2017-04-19 02:29:13,990 DEBUG 
[org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field 
org.apache.hadoop.metrics2.lib.MutableRate 
org.apache.hadoop.security.UserGroupInformation$UgiMetrics.loginFailure with 
annotation @org.apache.hadoop.metrics2.annotation.Metric(about=, 
sampleName=Ops, always=false, type=DEFAULT, value=[Rate of failed kerberos 
logins and latency (milliseconds)], valueName=Time)
2017-04-19 02:29:13,991 DEBUG 
[org.apache.hadoop.metrics2.lib.MutableMetricsFactory] - field 
org.apache.hadoop.metrics2.lib.MutableRate 
org.apache.hadoop.security.UserGroupInformation$UgiMetrics.getGroups with 
annotation @org.apache.hadoop.metrics2.annotation.Metric(about=, 
sampleName=Ops, always=false, type=DEFAULT, value=[GetGroups], valueName=Time)
2017-04-19 02:29:13,992 DEBUG 
[org.apache.hadoop.metrics2.impl.MetricsSystemImpl] - UgiMetrics, User and 
group related metrics
[KRB_DBG_CFG] Config:main:   Java config file: 
/opt/ibm/java/jre/lib/security/krb5.conf
[KRB_DBG_CFG] Config:main:   Loaded from Java config
2017-04-19 02:29:14,175 DEBUG [org.apache.hadoop.security.Groups] -  Creating 
new Groups object
2017-04-19 02:29:14,178 DEBUG [org.apache.hadoop.util.NativeCodeLoader] - 
Trying to load the custom-built native-hadoop library...
2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] - 
Failed to load native-hadoop with error: java.lang.UnsatisfiedLinkError: hadoop 
(Not found in java.library.path)
2017-04-19 02:29:14,179 DEBUG [org.apache.hadoop.util.NativeCodeLoader] - 
java.library.path=/opt/ibm/java/jre/lib/amd64/compressedrefs:/opt/ibm/java/jre/lib/amd64:/usr/lib64:/usr/lib
2017-04-19 02:29:14,179 WARN [org.apache.hadoop.util.NativeCodeLoader] - Unable 
to load native-hadoop library for your platform... using builtin-java classes 
where applicable
2017-04-19 02:29:14,180 DEBUG 
[org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Falling 
back to shell based
2017-04-19 02:29:14,180 DEBUG 
[org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback] - Group 
mapping impl=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.util.Shell] - setsid exited 
with exit code 0
2017-04-19 02:29:14,334 DEBUG [org.apache.hadoop.security.Groups] - Group 
mapping impl=org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback; 
cacheTimeout=300000; warningDeltaMs=5000
IBMJGSSProvider Build-Level: -20161128
[JGSS_DBG_CRED]  main JAAS config: principal=job/analytics
[JGSS_DBG_CRED]  main JAAS config: credsType=initiate and accept
[JGSS_DBG_CRED]  main config: useDefaultCcache=false
[JGSS_DBG_CRED]  main config: useCcache=null
[JGSS_DBG_CRED]  main config: useDefaultKeytab=false
[JGSS_DBG_CRED]  main config: useKeytab=//job.keytab
[JGSS_DBG_CRED]  main JAAS config: forwardable=false (default)
[JGSS_DBG_CRED]  main JAAS config: renewable=false (default)
[JGSS_DBG_CRED]  main JAAS config: proxiable=false (default)
[JGSS_DBG_CRED]  main JAAS config: tryFirstPass=false (default)
[JGSS_DBG_CRED]  main JAAS config: useFirstPass=false (default)
[JGSS_DBG_CRED]  main JAAS config: moduleBanner=false (default)
[JGSS_DBG_CRED]  main JAAS config: interactive login? no
[JGSS_DBG_CRED]  main JAAS config: refreshKrb5Config = true
[KRB_DBG_CFG] Config:main:   Java config file: 
/opt/ibm/java/jre/lib/security/krb5.conf
[KRB_DBG_CFG] Config:main:   Loaded from Java config
[KRB_DBG_KDC] KdcComm:main:   >>> KdcAccessibility: reset
[KRB_DBG_KDC] KdcComm:main:   >>> KdcAccessibility: reset
[JGSS_DBG_CRED]  main Try keytab for principal=job/analytics
[KRB_DBG_KTAB] KeyTab:main:   >>> KeyTab: trying to load keytab file /job.keytab
[KRB_DBG_KTAB] KeyTab:main:   >>> KeyTab: exception /job.keytab (No such file 
or directory)
Key for the principal job/analytics@KDC.LON02.HADOOP not available in 
//job.keytab
[KRB_DBG_CCHE] Credentials:main:   >>> Credentials: Created Credentials with 0 
keys. Key types:
[JGSS_DBG_CRED]  main Done retrieving Kerberos creds from keytab
[JGSS_DBG_CRED]  main Retrieving Kerberos creds from cache for 
principal=job/analytics
[JGSS_DBG_CRED]  main Non-interactive login; no callbacks necessary.
[JGSS_DBG_CRED]  main No Kerberos creds in cache for principal job/analytics
[JGSS_DBG_CRED]  main Doing Kerberos login for principal 
job/analytics@KDC.LON02.HADOOP
2017-04-19 02:29:14,381 DEBUG [org.apache.hadoop.security.UserGroupInformation] 
- hadoop login
Exception in thread "main" java.io.IOException: Login failure for job/analytics 
from keytab job.keytab
        at 
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1103)
        at com.TestKrb.main(TestKrb.java:10)
Caused by: javax.security.auth.login.FailedLoginException: Null key
        at 
com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:1)
        at 
com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:355)
        at 
com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:515)
        at 
com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:411)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:788)
        at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:196)
        at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
        at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
        at 
java.security.AccessController.doPrivileged(AccessController.java:686)
        at 
javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:719)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:593)
        at 
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1092)
        ... 1 more


In above log, the useKeytab=<value> entry is showing a <value> prefaced by a 
leading "//".  It appears that HADOOP is adjusting the user supplied keytab 
file and most likely prefacing it with something like "FILE://", which would 
cause the resulting IBM normalized value to then be prefaced by "//" before the 
user supplied keytab file.  This is the cause for why relative paths used with 
HADOOP are not working with IBM JVM's.




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org

Reply via email to