hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9363) AuthenticatedURL will NPE if server closes connection
Date Wed, 27 Mar 2013 15:31:16 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13615388#comment-13615388
] 

Daryn Sharp commented on HADOOP-9363:
-------------------------------------

This also occurs for unexpected kerberos errors such as a kvno version mismatch between the
client's service ticket and the server's HTTP principal in its keytab.

{noformat}
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified
version of key is not available (44))
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
	at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
	at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:278)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:270)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:270)
	... 23 more
Caused by: KrbException: Specified version of key is not available (44)
	at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588)
	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
{noformat}

I sniffed the packets and the SPNEGO exchange proceeds as expected: server sends 401 with
WWW-Authenticate header, client responds with Authorization header, server responds with 401
with status message set to the kerberos exception - client then NPEs on that response.  It's
unclear (I haven't investigated) if it's a JDK bug, or if AuthenticatedURL's twiddling of
the URLConnection is causing the issue.
                
> AuthenticatedURL will NPE if server closes connection
> -----------------------------------------------------
>
>                 Key: HADOOP-9363
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9363
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>
> A NPE occurs if the server unexpectedly closes the connection for an {{AuthenticatedURL}}
w/o sending a response.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message