Connector user switches between threads!

mhd wrk Tue, 03 Jul 2018 16:34:04 -0700

Here's the test case conditions:

-Kerberized cluster
-Thread one authenticates as user1 (using keytab) and start performing a
long running task on a specific table.
-Thread two simply authenticates as user2 (using username  and password ).


My observation is that as soon as thread two logins, thread one runs into
the exception below.

java.lang.RuntimeException:
org.apache.accumulo.core.client.AccumuloSecurityException: Error
BAD_CREDENTIALS for user Principal in credentials object should match
kerberos principal. Expected 'user2@example' but was 'user1@example' on
table user1.test_table(ID:3) - Username or Password is Invalid
    at
org.apache.accumulo.core.client.impl.ScannerIterator.hasNext(ScannerIterator.java:161)
    at java.lang.Iterable.forEach(Iterable.java:74)
    at com.example.test.TestBug$1.run(TestBug.java:53)
    at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.accumulo.core.client.AccumuloSecurityException: Error
BAD_CREDENTIALS for user Principal in credentials object should match
kerberos principal. Expected 'user2@example' but was 'user1@example' on
table user1.test_table(ID:3) - Username or Password is Invalid
    at
org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:465)
    at
org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:285)
    at
org.apache.accumulo.core.client.impl.ScannerIterator$Reader.run(ScannerIterator.java:80)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at
org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:35)
    ... 1 more
Caused by: ThriftSecurityException(user:Principal in credentials object
should match kerberos principal. Expected 'user2@example' but was
'user1@example', code:BAD_CREDENTIALS)
    at
org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result$startScan_resultStandardScheme.read(TabletClientService.java:6696)
    at
org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result$startScan_resultStandardScheme.read(TabletClientService.java:6673)
    at
org.apache.accumulo.core.tabletserver.thrift.TabletClientService$startScan_result.read(TabletClientService.java:6596)
    at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78)
    at
org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.recv_startScan(TabletClientService.java:232)
    at
org.apache.accumulo.core.tabletserver.thrift.TabletClientService$Client.startScan(TabletClientService.java:208)
    at
org.apache.accumulo.core.client.impl.ThriftScanner.scan(ThriftScanner.java:410)
    ... 6 more



========================
Java class to reproduce the issue
========================

package com.example.test;

import org.apache.accumulo.core.client.ClientConfiguration;
import org.apache.accumulo.core.client.Connector;
import org.apache.accumulo.core.client.ZooKeeperInstance;
import org.apache.accumulo.core.client.security.tokens.KerberosToken;
import org.apache.accumulo.core.security.Authorizations;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import java.io.File;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;

public class TestBug {

    public static void main(String[] args) throws Exception {

        final String hadoopHome = "/path/to/hadoophome";
        final String hadoopConfigFile = "/path/to/my-site.xml";

        final String accumuloTableName = "test_table";

        final String user1Name = "user1@example";
        final String user1Keytab = "/etc/security/keytabs/user1.keytab";

        final String user2Name = "user2@example";
        final String user2Password = "user2password";

        System.out.println("===================== Initializing Hadoop");
        System.setProperty("hadoop.home.dir", hadoopHome);
        Configuration hadoopConf = new Configuration();
        hadoopConf.addResource(new Path(hadoopConfigFile));
        UserGroupInformation.setConfiguration(hadoopConf);

        Thread scanner = new Thread(new Runnable() {
            @Override
            public void run() {
                try {
                    System.out.println("=====================
Authenticate as user1 using keytab");
                    Connector connector = new
ZooKeeperInstance(ClientConfiguration.loadDefault())
                            .getConnector(user1Name, new
KerberosToken(user1Name, new File(user1Keytab), true));

                    for ( int i = 0; true; ++i) {
                        System.out.println("===================== scan
table - " + i);
                        connector.createScanner(accumuloTableName, new
Authorizations()).forEach(e -> System.out.println(e));
                        Thread.sleep(1000);
                    }
                }catch(Exception x) {
                    x.printStackTrace();
                }

            }
        });

        Thread authenticator = new Thread(new Runnable() {
            @Override
            public void run() {
                try {
                    System.out.println("=====================
authenticate as user2 using password");

                    LoginContext loginCtx = new
LoginContext("MyClientJaas", new CallbackHandler() {
                        public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
                            for (Callback c : callbacks) {
                                if (c instanceof NameCallback)
                                    ((NameCallback) c).setName(user2Name);
                                if (c instanceof PasswordCallback)
                                    ((PasswordCallback)
c).setPassword(user2Password.toCharArray());
                            }
                        }
                    });
                    loginCtx.login();


UserGroupInformation.loginUserFromSubject(loginCtx.getSubject());
                    UserGroupInformation ugi =
UserGroupInformation.getUGIFromSubject(loginCtx.getSubject());
                    Connector newConnector =
ugi.doAs((PrivilegedExceptionAction<Connector>) () -> {
                        KerberosToken token = new KerberosToken();
                        return new
ZooKeeperInstance(ClientConfiguration.loadDefault()).getConnector(token.getPrincipal(),
token);
                    });

                } catch (Exception x) {
                    x.printStackTrace();
                }
            }
        });

        scanner.start();
        scanner.join(1000);

        authenticator.start();

        scanner.join();
        authenticator.join();
    }
}


========================
my jaas config file content:
========================

MyClientJaas {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/security/keytabs/user1.keytab"
  storeKey=true
  useTicketCache=false
  doNotPrompt=true
  debug=true
  principal="user1@example";
};

Connector user switches between threads!

Reply via email to