[jira] [Comment Edited] (HADOOP-15758) Filesystem.get API not working as expected with user argument

Fri, 14 Sep 2018 12:51:06 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16615305#comment-16615305
 ] 

Hrishikesh Gadre edited comment on HADOOP-15758 at 9/14/18 7:50 PM:
--------------------------------------------------------------------

Here is a sample program to reproduce this issue: 
[https://gist.github.com/hgadre/38e1b625a6af70f1659fb19137a12ece]

The steps to reproduce are as follows
 * export KRB5CCNAME=/tmp/krb5cc_foo
 * export CLASSPATH=$CLASSPATH:$(hadoop classpath)
 * javac ReadWriteHDFSWithKinit.java
 * kinit -l 1m -kt hdfs.keytab [h...@abc.com|mailto:h...@abc.com] # kinit as a 
superuser (could be any user that has ability to proxy)
 * java ReadWriteHDFSWithKinit systest # note: access file as systest via the 
FileSystem.get(uri,conf,user) API

 

The last step fails with following exception,
{noformat}
WARN security.UserGroupInformation: PriviledgedActionException as:h...@abc.com 
(auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed 
[Caused by GSSException: No valid credentials provided (Mechanism level: Failed 
to find any Kerberos tgt)]
18/06/21 12:59:58 WARN ipc.Client: Exception encountered while connecting to 
the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)]
18/06/21 12:59:58 WARN security.UserGroupInformation: 
PriviledgedActionException as:h...@abc.com (auth:KERBEROS) 
cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate 
failed [Caused by GSSException: No valid credentials provided (Mechanism level: 
Failed to find any Kerberos tgt)]
18/06/21 12:59:58 WARN hdfs.LeaseRenewer: Failed to renew lease for 
[DFSClient_NONMAPREDUCE_1855947848_1] for 30 seconds.  Will retry shortly ...
java.io.IOException: Failed on local exception: java.io.IOException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Failed to find any Kerberos 
tgt)]; Host Details : local host is: "host-2.abc.com/10.15.13.17"; destination 
host is: "host-1.abc.com":8020;{noformat}
 


was (Author: hgadre):
Here is a sample program to reproduce this issue: 
[https://gist.github.com/hgadre/38e1b625a6af70f1659fb19137a12ece]

The steps to reproduce are as follows
 * export KRB5CCNAME=/tmp/krb5cc_foo
 * export CLASSPATH=$CLASSPATH:$(hadoop classpath)
 * javac ReadWriteHDFSWithKinit.java
 * kinit -l 1m -kt hdfs.keytab [h...@abc.com|mailto:h...@abc.com] # kinit as a 
superuser (could be any user that has ability to proxy)
 * java ReadWriteHDFSWithKinitCloudera systest # note: access file as systest 
via the FileSystem.get(uri,conf,user) API

 

The last step fails with following exception,
{noformat}
WARN security.UserGroupInformation: PriviledgedActionException as:h...@abc.com 
(auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed 
[Caused by GSSException: No valid credentials provided (Mechanism level: Failed 
to find any Kerberos tgt)]
18/06/21 12:59:58 WARN ipc.Client: Exception encountered while connecting to 
the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)]
18/06/21 12:59:58 WARN security.UserGroupInformation: 
PriviledgedActionException as:h...@abc.com (auth:KERBEROS) 
cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate 
failed [Caused by GSSException: No valid credentials provided (Mechanism level: 
Failed to find any Kerberos tgt)]
18/06/21 12:59:58 WARN hdfs.LeaseRenewer: Failed to renew lease for 
[DFSClient_NONMAPREDUCE_1855947848_1] for 30 seconds.  Will retry shortly ...
java.io.IOException: Failed on local exception: java.io.IOException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Failed to find any Kerberos 
tgt)]; Host Details : local host is: "host-2.abc.com/10.15.13.17"; destination 
host is: "host-1.abc.com":8020;{noformat}
 

> Filesystem.get API not working as expected with user argument
> -------------------------------------------------------------
>
>                 Key: HADOOP-15758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15758
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Hrishikesh Gadre
>            Priority: Major
>
> A user reported that the Filesystem.get API is not working as expected when 
> they use the 'FileSystem.get(URI, Configuration, user)' method signature - 
> but 'FileSystem.get(URI, Configuration)' works fine. The user is trying to 
> use this method signature to mimic proxy user functionality e.g. provide 
> ticket cache based kerberos credentials (using KRB5CCNAME env variable) for 
> the proxy user and then in the java program pass name of the user to be 
> impersonated. The alternative, to use [proxy users 
> functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
>  in Hadoop works as expected.
>  
> Since FileSystem.get(URI, Configuration, user) is a public API and it does 
> not restrict its usage in this fashion, we should ideally make it work or add 
> docs to discourage its usage to implement proxy users.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to