[ https://issues.apache.org/jira/browse/HADOOP-11651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
zhouyingchao updated HADOOP-11651: ---------------------------------- Status: Patch Available (was: Open) > Handle kerberos authentication where there is no principal of HTTP/host@REALM > ----------------------------------------------------------------------------- > > Key: HADOOP-11651 > URL: https://issues.apache.org/jira/browse/HADOOP-11651 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.6.0 > Reporter: zhouyingchao > Assignee: zhouyingchao > Attachments: HADOOP-11651-001.patch > > > In a testing cluster, the HTTP service principal is just HTTP/hdtst@REALM > rather than HTTP/hostname@REALM. In this case, the following exception is > thrown on active HDFS namenode when bootstrap the standy HDFS namenode: > 2015-02-28,16:08:44,106 WARN > org.apache.hadoop.security.authentication.server.AuthenticationFilter: > Authentication exception: GSSException: No valid credentials provided > (Mechanism level: Failed to find any Kerberos Key) > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos Key) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:412) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507) > at > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) > at > org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1224) > at > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) > at > org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) > at > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) > at > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399) > .... > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos Key) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:95) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178) > at > sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109) > at > sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178) > at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384) > at > sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57) > at > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:363) > ... > We think our configuration is a valid use case and we should fix the issue. > The attached patch has been tested and it works fine on our testing cluster. -- This message was sent by Atlassian JIRA (v6.3.4#6332)