Balu Vellanki created FALCON-954:
------------------------------------
Summary: Secure Kerberos setup : Falcon should periodically
revalidate security credentials.
Key: FALCON-954
URL: https://issues.apache.org/jira/browse/FALCON-954
Project: Falcon
Issue Type: Bug
Affects Versions: 0.6
Reporter: Balu Vellanki
Assignee: Balu Vellanki
Priority: Critical
Fix For: 0.7
If the credentials are not validated regularly, entity actions like schedule,
update and delete will fail with the following exception.
{code}
org.apache.falcon.FalconException: AUTHENTICATION : AUTHENTICATION :
java.lang.reflect.UndeclaredThrowableException
at
org.apache.falcon.workflow.engine.OozieWorkflowEngine.getJobDetails(OozieWorkflowEngine.java:1328)
at
org.apache.falcon.service.FalconTopicSubscriber.onMessage(FalconTopicSubscriber.java:100)
at
org.apache.activemq.ActiveMQMessageConsumer.dispatch(ActiveMQMessageConsumer.java:1229)
at
org.apache.activemq.ActiveMQSessionExecutor.dispatch(ActiveMQSessionExecutor.java:134)
at
org.apache.activemq.ActiveMQSessionExecutor.iterate(ActiveMQSessionExecutor.java:205)
at
org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:122)
at
org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:43)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: AUTHENTICATION : AUTHENTICATION :
java.lang.reflect.UndeclaredThrowableException
at
org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:306)
at
org.apache.falcon.workflow.engine.OozieWorkflowEngine.getJobDetails(OozieWorkflowEngine.java:1317)
... 9 more
Caused by: AUTHENTICATION : java.lang.reflect.UndeclaredThrowableException
at
org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:321)
at org.apache.oozie.client.OozieClient.getJobInfo(OozieClient.java:780)
at
org.apache.oozie.client.ProxyOozieClient.access$1201(ProxyOozieClient.java:48)
at
org.apache.oozie.client.ProxyOozieClient$12.call(ProxyOozieClient.java:302)
at
org.apache.oozie.client.ProxyOozieClient$12.call(ProxyOozieClient.java:299)
at org.apache.oozie.client.OozieClient.doAs(OozieClient.java:191)
at
org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:299)
... 10 more
Caused by: java.lang.reflect.UndeclaredThrowableException
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1609)
at
org.apache.oozie.client.ProxyOozieClient.createConnection(ProxyOozieClient.java:87)
at
org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:478)
at org.apache.oozie.client.OozieClient.getJobInfo(OozieClient.java:802)
at
org.apache.oozie.client.ProxyOozieClient.access$1301(ProxyOozieClient.java:48)
at
org.apache.oozie.client.ProxyOozieClient$13.call(ProxyOozieClient.java:317)
at
org.apache.oozie.client.ProxyOozieClient$13.call(ProxyOozieClient.java:314)
at org.apache.oozie.client.OozieClient.doAs(OozieClient.java:191)
at
org.apache.oozie.client.ProxyOozieClient.getJobInfo(ProxyOozieClient.java:314)
... 16 more
Caused by: AUTHENTICATION : Could not authenticate, GSSException: No valid
credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at
org.apache.oozie.client.AuthOozieClient.createTokenBasedAuthConnection(AuthOozieClient.java:156)
at
org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:209)
at
org.apache.oozie.client.ProxyOozieClient.access$001(ProxyOozieClient.java:48)
at
org.apache.oozie.client.ProxyOozieClient$1.run(ProxyOozieClient.java:89)
at
org.apache.oozie.client.ProxyOozieClient$1.run(ProxyOozieClient.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1594)
... 24 more
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232)
at
org.apache.oozie.client.AuthOozieClient.createTokenBasedAuthConnection(AuthOozieClient.java:148)
... 31 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:261)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:261)
... 34 more
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
