[
https://issues.apache.org/jira/browse/HDFS-6676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14068314#comment-14068314
]
liyunzhang commented on HDFS-6676:
----------------------------------
you can enable kerberos http spnego authentication of KMS in following steps
1.config kdc server successfully
2.generate keberos ticket in client
ex.kinit HTTP/liyunzhangcentos.sh.intel....@sh.intel.com -kt
/home/zly/http.keytab
3.edit kms-site.xml, edit following property item
<property>
<name>hadoop.kms.authentication.type</name>
<value>kerberos</value>
<description>
simple or kerberos
</description>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.keytab</name>
<value>/home/zly/hadoop-3.0.0-SNAPSHOT/etc/hadoop/kerberos/HTTP.keytab</value>
<description>
</description>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>HTTP/liyunzhangcentos.sh.intel....@sh.intel.com</value>
<description>
</description>
</property>
4.start kms server
5.use curl to test kms functions like create key
ex:#curl -i --negotiate -u: -X POST -d @createkey.json
http://liyunzhangcentos.sh.intel.com:16000/kms/v1/keys --header
"Content-Type:application/json"
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly
Content-Type: text/html;charset=utf-8
Content-Length: 997
Date: Mon, 21 Jul 2014 06:27:59 GMT
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Set-Cookie:
hadoop.auth=u=HTTP&p=HTTP/liyunzhangcentos.sh.intel....@sh.intel.com&t=kerberos&e=1405960084208&s=UgeM6AwoHo46HDntyVXB/OLK6u8=;
Expires=Mon, 21-Jul-2014 16:28:04 GMT; HttpOnly
Location: http://liyunzhangcentos.sh.intel.com:16000/kms/v1/keys/v1/key/k1
Content-Type: application/json
Content-Length: 55
Date: Mon, 21 Jul 2014 06:28:33 GMT
Res {"versionName" : "k1@0",
"material" : "12345w=="
}
> KMS throws AuthenticationException when enabling kerberos authentication
> -------------------------------------------------------------------------
>
> Key: HDFS-6676
> URL: https://issues.apache.org/jira/browse/HDFS-6676
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.0
> Reporter: liyunzhang
> Priority: Minor
>
> When I made a request http://server-1941.novalocal:16000/kms/v1/names in
> firefox. (before, i set configs in firefox according
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html),
> following info was found in logs/kms.log.
> 2014-07-14 19:18:30,461 WARN AuthenticationFilter - Authentication
> exception: GSSException: Failure unspecified at GSS-API level (Mechanism
> level: EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but
> decryption key is of type NULL)
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: Failure unspecified at GSS-API level (Mechanism levelis of type
> NULL)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:380)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:357)
> at
> org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:100)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
> level: EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but
> decryption key is of type NULL)
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> at
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
> at
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:347)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329)
> ... 14 more
> Caused by: KrbException: EncryptedData is encrypted using keytype DES CBC
> mode with CRC-32 but decryption key is of type NULL
> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:169)
> at sun.security.krb5.KrbCred.<init>(KrbCred.java:131)
> at
> sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:282)
> at
> sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:130)
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
> ... 25 more
>
> Kerberos is enabled successful in my environment:
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/server-1941.novalocal@NOVALOCAL
> Valid starting Expires Service principal
> 07/14/14 19:18:10 07/15/14 19:18:09 krbtgt/NOVALOCAL@NOVALOCAL
> renew until 07/14/14 19:18:10
> 07/14/14 19:18:30 07/15/14 19:18:09 HTTP/server-1941.novalocal@NOVALOCAL
> renew until 07/14/14 19:18:10
> Following are kdc configs:
> cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = NOVALOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> udp_preference_limit = 1000000
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> allow_weak_crypto = true
> [realms]
> NOVALOCAL = {
> kdc = server-355:88
> admin_server = server-355:749
> default_domain=novalocal
> }
> [domain_realm]
> .novalocal = NOVALOCAL
> novalocal = NOVALOCAL
> cat /var/kerberos/krb5kdc/kdc.conf
> [kdcdefaults]
> kdc_ports = 88
> kdc_tcp_ports = 88
>
> [realms]
> NOVALOCAL = {
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> master_key_type = des3-hmac-sha1
> supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal
> des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
> }
>
> I have updated my jdk to build 1.7.0_60-b19
--
This message was sent by Atlassian JIRA
(v6.2#6252)
