[
https://issues.apache.org/jira/browse/PHOENIX-5198?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karan Mehta resolved PHOENIX-5198.
----------------------------------
Resolution: Not A Bug
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)
> ----------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5198
> URL: https://issues.apache.org/jira/browse/PHOENIX-5198
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 5.0.0
> Environment: >HDP 3.0.0
> >Phoenix 5.0.0
> >HBase 2.0.0
> >Spark 2.3.1
> >Hadoop 3.0.1
>
> Reporter: gejx
> Priority: Blocker
> Attachments: application_1551919460625_0204.txt
>
>
> I re-run the program, the code is as follows:
> code
> {code:java}
> @transient val confWrap = new Configuration()
> confWrap.set("hbase.zookeeper.quorum", missionSession.config.zkQuorum)
> confWrap.set("zookeeper.znode.parent", "/hbase-secure")
> confWrap.set("hbase.zookeeper.property.clientPort", "2181")
> confWrap.set("hadoop.security.authentication", "kerberos")
> confWrap.set("hbase.security.authentication", "kerberos")
> confWrap.set("hbase.myclient.keytab", missionSession.config.keytab)
> confWrap.set("hbase.myclient.principal", missionSession.config.principal)
> @transient val ugi: UserGroupInformation =
> UserGroupInformation.loginUserFromKeytabAndReturnUGI(missionSession.config.principal,
> missionSession.config.keytab)
> ugi.doAs(new PrivilegedExceptionAction[Unit] {
> override def run(): Unit = {
> val df: DataFrame =
> sqlContext.phoenixTableAsDataFrame(missionSession.config.tableName, Seq("ID",
> "NAME"), zkUrl = Some(missionSession.config.zkUrl), conf = confWrap)
> df.show(2)
> }
> }){code}
> The parameters I submitted are as follows:
> {code:java}
> spark-submit --master yarn --name PHOENIX_SPARK_PLUGIN --deploy-mode cluster
> --driver-memory 1024M --executor-memory 1024M --num-executors 2
> --executor-cores 1 --keytab /path/testdmp.keytab --principal d...@testdip.org
> --conf spark.yarn.maxAppAttempts=1 --conf
> spark.driver.extraJavaOptions="-Dlog4j.configuration=log4j.properties" --conf
> spark.executor.extraJavaOptions="-Dlog4j.configuration=log4j.properties"
> /opt/workspace/plugin/phoenix-spark-plugin-example-1.11.0-SNAPSHOT-jar-with-dependencies.jar
>
> "DMP_CONF={\"spark\":{\"sparkMaster\":\"yarn\"},\"zkUrl\":\"jdbc:phoenix:test-dmp5.fengdai.org,test-dmp3.fengdai.org,test-dmp4.fengdai.org\",\"tableName\":\"DMP.DMP_TEST\"
>
> ,\"isDS\":true,\"zkQuorum\":\"test-dmp5.fengdai.org,test-dmp3.fengdai.org,test-dmp4.fengdai.org\",\"keytab\":\"/path/testdmp.keytab\",\"principal\":\"d...@testdip.org\"}"{code}
>
> I tried to add keytab information to the url, but that didn't work. By
> reading the source code, the keytab information is retrieved from conf when
> the login is checked. So I configured it accordingly:
> The conf for the sample:
> {code:java}
> confWrap.set("hbase.myclient.keytab", missionSession.config.keytab)
> confWrap.set("hbase.myclient.principal",
> missionSession.config.principal){code}
> The url for the sample:
> {code:java}
> jdbc:phoenix:test-dmp5.fengdai.org,test-dmp3.fengdai.org,test-dmp4.fengdai.org:d...@testdip.org:/path/testdmp.keytab{code}
> The submission parameter contains keytab information, driver can parse
> SQL,Excutor performed the re-login operation, but still threw the exception
> GSSException,The excutor log shows "PrivilegedAction as DMP ". Why does
> relogin not change the current UGI?
>
> driver-log:
> {code:java}
> DEBUG UserGroupInformation: hadoop login
> DEBUG UserGroupInformation: hadoop login commit
> DEBUG UserGroupInformation: using local user:UnixPrincipal: dmp
> DEBUG UserGroupInformation: Using user: "UnixPrincipal: dmp" with name dmp
> DEBUG UserGroupInformation: User entry: "dmp"
> DEBUG UserGroupInformation: Reading credentials from location set in
> HADOOP_TOKEN_FILE_LOCATION:
> /hadoop/yarn/local/usercache/dmp/appcache/application_1551919460625_0199/container_e27_1551919460625_0199_01_000001/container_tokens
> DEBUG UserGroupInformation: Loaded 3 tokens
> DEBUG UserGroupInformation: UGI loginUser:dmp (auth:SIMPLE)
> DEBUG UserGroupInformation: hadoop login
> DEBUG UserGroupInformation: hadoop login commit
> DEBUG UserGroupInformation: using kerberos user:d...@testdip.org
> DEBUG UserGroupInformation: Using user: "d...@testdip.org" with name
> d...@testdip.org
> DEBUG UserGroupInformation: User entry: "d...@testdip.org"
> INFO UserGroupInformation: Login successful for user d...@testdip.org using
> keytab file testdmp.keytab-fb56007a-7d7d-4639-bf9e-5726b91901fd
> DEBUG UserGroupInformation: PrivilegedAction as:d...@testdip.org
> (auth:KERBEROS)
> from:org.apache.spark.deploy.yarn.ApplicationMaster.doAsUser(ApplicationMaster.scala:814)
> DEBUG UserGroupInformation: PrivilegedAction as:d...@testdip.org
> (auth:KERBEROS)
> from:org.apache.spark.deploy.yarn.ApplicationMaster.doAsUser(ApplicationMaster.scala:814)
> {code}
> excutor-log:
> {code:java}
> 19/03/14 22:10:08 DEBUG SparkHadoopUtil: creating UGI for user: dmp
> 19/03/14 22:10:08 DEBUG UserGroupInformation: hadoop login
> 19/03/14 22:10:08 DEBUG UserGroupInformation: hadoop login commit
> 19/03/14 22:10:08 DEBUG UserGroupInformation: using local user:UnixPrincipal:
> dmp
> 19/03/14 22:10:08 DEBUG UserGroupInformation: Using user: "UnixPrincipal:
> dmp" with name dmp
> 19/03/14 22:10:08 DEBUG UserGroupInformation: User entry: "dmp"
> 19/03/14 22:10:08 DEBUG UserGroupInformation: Reading credentials from
> location set in HADOOP_TOKEN_FILE_LOCATION:
> /hadoop/yarn/local/usercache/dmp/appcache/application_1551919460625_0204/container_e27_1551919460625_0204_01_000002/container_tokens
> 19/03/14 22:10:08 DEBUG UserGroupInformation: Loaded 3 tokens
> 19/03/14 22:10:08 DEBUG UserGroupInformation: UGI loginUser:dmp (auth:SIMPLE)
> 19/03/14 22:10:08 DEBUG UserGroupInformation: PrivilegedAction as:dmp
> (auth:SIMPLE)
> from:org.apache.spark.deploy.SparkHadoopUtil.runAsSparkUser(SparkHadoopUtil.scala:64)
> -----------------------------------------------------------------------------------------------------------------------------------------
> 19/03/14 22:10:50 DEBUG UserGroupInformation: hadoop login
> 19/03/14 22:10:50 DEBUG UserGroupInformation: hadoop login commit
> 19/03/14 22:10:50 DEBUG UserGroupInformation: using kerberos
> user:d...@testdip.org
> 19/03/14 22:10:50 DEBUG UserGroupInformation: Using user: "d...@testdip.org"
> with name d...@testdip.org
> 19/03/14 22:10:50 DEBUG UserGroupInformation: User entry: "d...@testdip.org"
> 19/03/14 22:10:50 INFO UserGroupInformation: Login successful for user
> d...@testdip.org using keytab file
> /tesdmp/keytabs/nnjKorRc37PPPjLf/dmp/testdmp.keytab
> ------------------------------------------------------------------------------------------------------------------------------------------
> 19/03/14 22:11:02 DEBUG AbstractHBaseSaslRpcClient: Creating SASL GSSAPI
> client. Server's Kerberos principal name is
> hbase/test-dmp4.fengdai....@testdip.org
> 19/03/14 22:11:03 DEBUG UserGroupInformation: PrivilegedAction as:dmp
> (auth:SIMPLE)
> from:org.apache.hadoop.hbase.security.NettyHBaseSaslRpcClientHandler.handlerAdded(NettyHBaseSaslRpcClientHandler.java:106)
> 19/03/14 22:11:03 DEBUG UserGroupInformation: PrivilegedActionException
> as:dmp (auth:SIMPLE) cause:javax.security.sasl.SaslException: GSS initiate
> failed [Caused by GSSException: No valid credentials provided (Mechanism
> level: Failed to find any Kerberos tgt)]
> {code}
> In this method, relogging does not change current User, ConnectionInfo is
> cached based on current User, and the connection is not available at this
> point:
> Relation
> URL:https://issues.apache.org/jira/browse/PHOENIX-5145?jql=project%20%3D%20PHOENIX%20AND%20issuetype%20%3D%20Bug
>
> log:
> {code:java}
> 19/03/14 22:10:51 DEBUG PhoenixDriver: tmp==my current user is dmp
> (auth:SIMPLE)
> 19/03/14 22:10:51 DEBUG PhoenixDriver: tmp==my login user is d...@testdip.org
> (auth:KERBEROS){code}
> method:
> {code:java}
> public ConnectionInfo normalize(ReadOnlyProps props, Properties info) throws
> SQLException {
> String zookeeperQuorum = this.getZookeeperQuorum();
> Integer port = this.getPort();
> String rootNode = this.getRootNode();
> String keytab = this.getKeytab();
> String principal = this.getPrincipal();
> // Normalize connInfo so that a url explicitly specifying versus implicitly
> inheriting
> // the default values will both share the same ConnectionQueryServices.
> if (zookeeperQuorum == null) {
> zookeeperQuorum = props.get(QueryServices.ZOOKEEPER_QUORUM_ATTRIB);
> if (zookeeperQuorum == null) {
> throw new SQLExceptionInfo.Builder(SQLExceptionCode.MALFORMED_CONNECTION_URL)
> .setMessage(this.toString()).build().buildException();
> }
> }
> if (port == null) {
> if (!isConnectionless) {
> String portStr = props.get(QueryServices.ZOOKEEPER_PORT_ATTRIB);
> if (portStr != null) {
> try {
> port = Integer.parseInt(portStr);
> } catch (NumberFormatException e) {
> throw new SQLExceptionInfo.Builder(SQLExceptionCode.MALFORMED_CONNECTION_URL)
> .setMessage(this.toString()).build().buildException();
> }
> }
> }
> } else if (isConnectionless) {
> throw new SQLExceptionInfo.Builder(SQLExceptionCode.MALFORMED_CONNECTION_URL)
> .setMessage("Port may not be specified when using the connectionless url \""
> + this.toString() + "\"").build().buildException();
> }
> if (rootNode == null) {
> if (!isConnectionless) {
> rootNode = props.get(QueryServices.ZOOKEEPER_ROOT_NODE_ATTRIB);
> }
> } else if (isConnectionless) {
> throw new SQLExceptionInfo.Builder(SQLExceptionCode.MALFORMED_CONNECTION_URL)
> .setMessage("Root node may not be specified when using the connectionless url
> \"" + this.toString() + "\"").build().buildException();
> }
> if (principal == null) {
> if (!isConnectionless) {
> principal = props.get(QueryServices.HBASE_CLIENT_PRINCIPAL);
> }
> }
> if (keytab == null) {
> if (!isConnectionless) {
> keytab = props.get(QueryServices.HBASE_CLIENT_KEYTAB);
> }
> }
> if (!isConnectionless()) {
> boolean credsProvidedInUrl = null != principal && null != keytab;
> boolean credsProvidedInProps =
> info.containsKey(QueryServices.HBASE_CLIENT_PRINCIPAL) &&
> info.containsKey(QueryServices.HBASE_CLIENT_KEYTAB);
> if (credsProvidedInUrl || credsProvidedInProps) {
> // PHOENIX-3189 Because ConnectionInfo is immutable, we must make sure all
> parts of it are correct before
> // construction; this also requires the Kerberos user credentials object
> (since they are compared by reference
> // and not by value. If the user provided a principal and keytab via the JDBC
> url, we must make sure that the
> // Kerberos login happens *before* we construct the ConnectionInfo object.
> Otherwise, the use of ConnectionInfo
> // to determine when ConnectionQueryServices impl's should be reused will be
> broken.
> try {
> // Check if we need to authenticate with kerberos so that we cache the
> correct ConnectionInfo
> UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
> if (!currentUser.hasKerberosCredentials() ||
> !isSameName(currentUser.getUserName(), principal)) {
> synchronized (KERBEROS_LOGIN_LOCK) {
> // Double check the current user, might have changed since we checked last.
> Don't want
> // to re-login if it's the same user.
> currentUser = UserGroupInformation.getCurrentUser();
> if (!currentUser.hasKerberosCredentials() ||
> !isSameName(currentUser.getUserName(), principal)) {
> final Configuration config = getConfiguration(props, info, principal, keytab);
> logger.info("Trying to connect to a secure cluster as {} with keytab {}",
> config.get(QueryServices.HBASE_CLIENT_PRINCIPAL),
> config.get(QueryServices.HBASE_CLIENT_KEYTAB));
> UserGroupInformation.setConfiguration(config);
> User.login(config, QueryServices.HBASE_CLIENT_KEYTAB,
> QueryServices.HBASE_CLIENT_PRINCIPAL, null);
> logger.info("tmp==ugi user is{},auth is{}"
> ,UserGroupInformation.getCurrentUser().getUserName(),UserGroupInformation.getCurrentUser().getAuthenticationMethod());
> logger.info("tmp==ugi login user is{},auth is{}"
> ,UserGroupInformation.getLoginUser().getUserName(),UserGroupInformation.getLoginUser().getAuthenticationMethod());
> logger.info("Successful login to secure cluster");
> }
> }
> } else {
> // The user already has Kerberos creds, so there isn't anything to change in
> the ConnectionInfo.
> logger.debug("Already logged in as {}", currentUser);
> }
> } catch (IOException e) {
> throw new
> SQLExceptionInfo.Builder(SQLExceptionCode.CANNOT_ESTABLISH_CONNECTION)
> .setRootCause(e).build().buildException();
> }
> } else {
> logger.debug("Principal and keytab not provided, not attempting Kerberos
> login");
> }
> } // else, no connection, no need to login
> // Will use the current User from UGI
> return new ConnectionInfo(zookeeperQuorum, port, rootNode, principal, keytab);
> }
>
> {code}
> So I always get the following exceptions:
> {code:java}
> 19/03/14 22:11:11 DEBUG ClientCnxn: Reading reply
> sessionid:0x26975f6aaa9056d, packet::
> clientPath:/hbase-secure/meta-region-server
> serverPath:/hbase-secure/meta-region-server finished:false header:: 9,4
> replyHeader:: 9,34359750201,0 request:: '/hbase-secure/meta-region-server,F
> response::
> #ffffffff000146d61737465723a3136303030ffffffa1dffffffbafffffff043fffffff53d7c50425546a21a15746573742d646d70342e66656e676461692e6f726710ffffff947d18ffffffe5fffffff6ffffffc1ffffffb0ffffff972d100183,s{8589935420,34359739604,1543999435222,1552464056849,257,0,0,0,68,0,8589935420}
> 19/03/14 22:11:11 DEBUG AbstractHBaseSaslRpcClient: Creating SASL GSSAPI
> client. Server's Kerberos principal name is
> hbase/test-dmp4.fengdai....@testdip.org
> 19/03/14 22:11:11 DEBUG UserGroupInformation: PrivilegedAction as:dmp
> (auth:SIMPLE)
> from:org.apache.hadoop.hbase.security.NettyHBaseSaslRpcClientHandler.handlerAdded(NettyHBaseSaslRpcClientHandler.java:106)
> 19/03/14 22:11:11 DEBUG UserGroupInformation: PrivilegedActionException
> as:dmp (auth:SIMPLE) cause:javax.security.sasl.SaslException: GSS initiate
> failed [Caused by GSSException: No valid credentials provided (Mechanism
> level: Failed to find any Kerberos tgt)]
> 19/03/14 22:11:11 DEBUG RpcRetryingCallerImpl: Call exception, tries=7,
> retries=7, started=11862 ms ago, cancelled=false, msg=Call to
> test-dmp4.fengdai.org/10.200.162.25:16020 failed on local exception:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)], details=row 'SYSTEM:CATALOG' on table 'hbase:meta' at
> region=hbase:meta,,1.1588230740,
> hostname=test-dmp4.fengdai.org,16020,1552463985509, seqNum=-1,
> exception=java.io.IOException: Call to
> test-dmp4.fengdai.org/10.200.162.25:16020 failed on local exception:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)]
> at org.apache.hadoop.hbase.ipc.IPCUtil.wrapException(IPCUtil.java:180)
> at
> org.apache.hadoop.hbase.ipc.AbstractRpcClient.onCallFinished(AbstractRpcClient.java:390)
> at
> org.apache.hadoop.hbase.ipc.AbstractRpcClient.access$100(AbstractRpcClient.java:95)
> at
> org.apache.hadoop.hbase.ipc.AbstractRpcClient$3.run(AbstractRpcClient.java:410)
> at
> org.apache.hadoop.hbase.ipc.AbstractRpcClient$3.run(AbstractRpcClient.java:406)
> at org.apache.hadoop.hbase.ipc.Call.callComplete(Call.java:103)
> at org.apache.hadoop.hbase.ipc.Call.setException(Call.java:118)
> at
> org.apache.hadoop.hbase.ipc.BufferCallBeforeInitHandler.userEventTriggered(BufferCallBeforeInitHandler.java:92)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:329)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:315)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:307)
> at
> org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter.userEventTriggered(ChannelInboundHandlerAdapter.java:108)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:329)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:315)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:307)
> at
> org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter.userEventTriggered(ChannelInboundHandlerAdapter.java:108)
> at
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.userEventTriggered(ByteToMessageDecoder.java:353)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:329)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:315)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:307)
> at
> org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline$HeadContext.userEventTriggered(DefaultChannelPipeline.java:1377)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:329)
> at
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:315)
> at
> org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline.fireUserEventTriggered(DefaultChannelPipeline.java:929)
> at
> org.apache.hadoop.hbase.ipc.NettyRpcConnection.failInit(NettyRpcConnection.java:179)
> at
> org.apache.hadoop.hbase.ipc.NettyRpcConnection.access$500(NettyRpcConnection.java:71)
> at
> org.apache.hadoop.hbase.ipc.NettyRpcConnection$2.operationComplete(NettyRpcConnection.java:247)
> at
> org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)
> at
> org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:481)
> at
> org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:420)
> at
> org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultPromise.addListener(DefaultPromise.java:163)
> at
> org.apache.hadoop.hbase.ipc.NettyRpcConnection.saslNegotiate(NettyRpcConnection.java:201)
> at
> org.apache.hadoop.hbase.ipc.NettyRpcConnection.access$800(NettyRpcConnection.java:71)
> at
> org.apache.hadoop.hbase.ipc.NettyRpcConnection$3.operationComplete(NettyRpcConnection.java:273)
> at
> org.apache.hadoop.hbase.ipc.NettyRpcConnection$3.operationComplete(NettyRpcConnection.java:261)
> at
> org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)
> at
> org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)
> at
> org.apache.hbase.thirdparty.io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:479)
> at org.apache.hbase.thir
> {code}
> I uploaded a full debug log. Can anyone write a suggestion for me?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
