[ https://issues.apache.org/jira/browse/SENTRY-492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16784006#comment-16784006 ]
Gustavo Arocena commented on SENTRY-492: ---------------------------------------- The problem goes away when passing this property: -Djavax.security.auth.useSubjectCredsOnly=false The issue can probably be closed. > Can not connect to sentry service using IBM JDK when keberos is enabled > ------------------------------------------------------------------------- > > Key: SENTRY-492 > URL: https://issues.apache.org/jira/browse/SENTRY-492 > Project: Sentry > Issue Type: Bug > Affects Versions: 1.5.0 > Reporter: Ruiming Zhou > Priority: Major > > while connecting to the sentry service with keberos is enabled using IBM JDK, > it failed because of the exceptions from the salsclient creation. > Caused by: javax.security.sasl.SaslException: Failure to initialize security > context [Caused by org.ietf.jgss.GSSException, major code: 13, minor code: 0 > major string: Invalid credentials > minor string: SubjectCredFinder: no JAAS Subject] > at > com.ibm.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:131) > at > com.ibm.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:53) > at javax.security.sasl.Sasl.createSaslClient(Sasl.java:362) > at > org.apache.thrift.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient$UgiSaslClientTransport.<init>(SentryPolicyServiceClient.java:84) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient.<init>(SentryPolicyServiceClient.java:144) > at > org.apache.sentry.provider.db.SimpleDBProviderBackend.<init>(SimpleDBProviderBackend.java:52) > at > org.apache.sentry.provider.db.SimpleDBProviderBackend.<init>(SimpleDBProviderBackend.java:48) > ... 31 more > Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0 > major string: Invalid credentials > minor string: SubjectCredFinder: no JAAS Subject > at > com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:83) > at > com.ibm.security.jgss.mech.krb5.Krb5Credential$SubjectCredFinder.run(Krb5Credential.java:1126) > at > java.security.AccessController.doPrivileged(AccessController.java:330) > at > com.ibm.security.jgss.mech.krb5.Krb5Credential.getClientCredsFromSubject(Krb5Credential.java:816) > at > com.ibm.security.jgss.mech.krb5.Krb5Credential.getCredentials(Krb5Credential.java:388) > at > com.ibm.security.jgss.mech.krb5.Krb5Credential.init(Krb5Credential.java:196) > > This is because IBM JDK requires valid kerberos credentials in place when > creating Sasl client. -- This message was sent by Atlassian JIRA (v7.6.3#76005)