hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kihwal Lee (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16283) Error in reading Kerberos principals from the Keytab file
Date Wed, 01 May 2019 13:36:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16831001#comment-16831001
] 

Kihwal Lee commented on HADOOP-16283:
-------------------------------------

Thanks for the analysis.  It looks like branch-3.x and trunk are at kerby 1.0.1 and we will
need to move to 1.1.2 when it is released.

> Error in reading Kerberos principals from the Keytab file
> ---------------------------------------------------------
>
>                 Key: HADOOP-16283
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16283
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Farhan Khan
>            Priority: Major
>
> The error refers to the launching of Namenode daemon when Kerberos is used for authentication.
While reading Spnego principals (HTTP/.*) from the keytab file to start the Jetty server,
KerberosUtil throws an error:
> {code:java}
> javax.servlet.ServletException: java.io.IOException: Unexpected octets len: 16716
>     at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:188)
>     at org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeAuthHandler(AuthenticationFilter.java:194)
>     at org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:180)
>     at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:139)
>     at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:873)
>     at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:349)
>     at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1406)
>     at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1368)
>     at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:778)
>     at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
>     at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:522)
>     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>     at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
>     at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
>     at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
>     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>     at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
>     at org.eclipse.jetty.server.Server.start(Server.java:427)
>     at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
>     at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
>     at org.eclipse.jetty.server.Server.doStart(Server.java:394)
>     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>     at org.apache.hadoop.http.HttpServer2.start(HttpServer2.java:1140)
>     at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer.start(NameNodeHttpServer.java:177)
>     at org.apache.hadoop.hdfs.server.namenode.NameNode.startHttpServer(NameNode.java:872)
>     at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:694)
>     at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:940)
>     at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:913)
>     at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1646)
>     at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1713)
> Caused by: java.io.IOException: Unexpected octets len: 16716
>     at org.apache.kerby.kerberos.kerb.KrbInputStream.readCountedOctets(KrbInputStream.java:72)
>     at org.apache.kerby.kerberos.kerb.KrbInputStream.readKey(KrbInputStream.java:48)
>     at org.apache.kerby.kerberos.kerb.keytab.KeytabEntry.load(KeytabEntry.java:55)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.readEntry(Keytab.java:203)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.readEntries(Keytab.java:189)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.doLoad(Keytab.java:161)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.load(Keytab.java:155)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.load(Keytab.java:143)
>     at org.apache.kerby.kerberos.kerb.keytab.Keytab.loadKeytab(Keytab.java:55)
>     at org.apache.hadoop.security.authentication.util.KerberosUtil.getPrincipalNames(KerberosUtil.java:225)
>     at org.apache.hadoop.security.authentication.util.KerberosUtil.getPrincipalNames(KerberosUtil.java:244)
>     at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:152)
>     ... 29 more
> {code}
>   The main problem is with reading of keytab file generated by heimdal-kdc version 7.5.0.
Keytab class of package org.apache.kerby.kerberos.kerb.keytab deals with reading entries from
keytab file. 
> This is the format of a keytab file. 
> {code:java}
> keytab {
>       uint16_t file_format_version;                    # 0x502
>       keytab_entry entries[*];
>   };
>   keytab_entry {
>       int32_t size;
>       uint16_t num_components;   # subtract 1 if version 0x501
>       counted_octet_string realm;
>       counted_octet_string components[num_components];
>       uint32_t name_type;       # not present if version 0x501
>       uint32_t timestamp;
>       uint8_t vno8;
>       keyblock key;
>       uint32_t vno; #only present if >= 4 bytes left in entry
>       uint32_t flags; #only present if >= 4 bytes left in entry
>   };
>   counted_octet_string {
>       uint16_t length;
>       uint8_t data[length];
>   };
>   keyblock {
>       uint16_t type;
>       counted_octet_string;
>   };
> {code}
> First field of keytab_entry is the size of this entry in bytes. This field itself is
of four bytes. But, it contains the number of bytes of rest of the fields. Keytab class tries
to calculate number of bytes read in every entry. The mistake is that it includes the (number
of bytes of) first field in the calculation of total number of bytes read for a single entry.
This leads to misinterpretation of successive entries in the keytab file. Hence, Unexpected
Octet len error is thrown.
> I have raised an issue with apache/directory-kerby: https://issues.apache.org/jira/browse/DIRKRB-734.
> There is a PR also addressing this issue: [https://github.com/apache/directory-kerby/pull/44]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message