[jira] [Created] (SENTRY-2554) TGT renewal is retried if there are exceptions.

Thu, 19 Mar 2020 13:11:15 -0700 

Kalyan Kalvagadda created SENTRY-2554:
-----------------------------------------

             Summary: TGT renewal is retried if there are exceptions.
                 Key: SENTRY-2554
                 URL: https://issues.apache.org/jira/browse/SENTRY-2554
             Project: Sentry
          Issue Type: Bug
          Components: Sentry
            Reporter: Kalyan Kalvagadda
            Assignee: Kalyan Kalvagadda


It looks like there was an issue with the KDC server at some point in time. The 
below error shows the failure. Once sentry gets failure it is not trying to 
renew the certificate. 

 

A fix should be added to the sentry code to retry to renew the TGT even after 
login exception.
{code:java}
javax.security.auth.login.LoginException: Client not found in Kerberos database 
(6)
        at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
        at 
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
        at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at 
org.apache.sentry.service.thrift.SentryKerberosContext.loginWithNewContext(SentryKerberosContext.java:69)
        at 
org.apache.sentry.service.thrift.SentryKerberosContext.run(SentryKerberosContext.java:125)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
        at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
        at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: KrbException: Client not found in Kerberos database (6)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
        ... 20 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
        ... 23 more{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to