[jira] [Created] (SOLR-7297) GSSException in SolrCloud / Kerberos

Tue, 24 Mar 2015 09:16:28 -0700 

Andrejs Dubovskis created SOLR-7297:
---------------------------------------

             Summary: GSSException in SolrCloud / Kerberos
                 Key: SOLR-7297
                 URL: https://issues.apache.org/jira/browse/SOLR-7297
             Project: Solr
          Issue Type: Bug
          Components: SolrCloud
         Environment: CDH 5.3.2 + Kerberos
            Reporter: Andrejs Dubovskis


Some problem with Kerberos authentications in SolrCloud in CDH 5.3.2.

The problem was appearing after upgrade from CDH 5.3.1

Error easy to reproduce by curl (DO NOT ADD DOMAIN to solr host name)
{code}
kinit username
curl --negotiate -u : http://solrhostnameonly:8983/solr/collection/select?q=x
{code}

We have 2 Solr instances and the same error happens even when one instance 
communicates with another.

Possible, the error is in a way, how Solr saves names of live nodes in 
zookeeper (it saves only host names with no domain). 
After upgrade short names (with no domain) are used with Kerberos 
authentication and no according entry can be found in Kerberos DC.

Solr server logs are full with following errors
{code}
2015-03-23 05:50:19,885 WARN 
org.apache.hadoop.security.authentication.server.AuthenticationFilter: 
Authentication exception: GSSException: Failure unspecified
at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of 
appropriate type to decrypt AP REP - RC4 with HMAC)
org.apache.hadoop.security.authentication.client.AuthenticationException: 
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid 
argument
(400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
        at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
        at 
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348)
        at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:520)
        at 
org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:277)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at 
org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
        at 
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP -
 RC4 with HMAC)
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at 
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:899)
        at 
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:550)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:366)
        at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:348)
        ... 18 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of 
appropriate type to decrypt AP REP - RC4 with HMAC
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:288)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:159)
        at 
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        ... 29 more
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to