sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruiming Zhou (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SENTRY-492) Can not connect to sentry service using IBM JDK when keberos is enabled
Date Mon, 06 Oct 2014 22:35:35 GMT

     [ https://issues.apache.org/jira/browse/SENTRY-492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ruiming Zhou updated SENTRY-492:
--------------------------------
    Description: 
while connecting to the sentry service with keberos is enabled using IBM JDK, it failed because
of the exceptions from the salsclient creation.  


Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused
by org.ietf.jgss.GSSException, major code: 13, minor code: 0
        major string: Invalid credentials
        minor string: SubjectCredFinder: no JAAS Subject]
        at com.ibm.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:131)
        at com.ibm.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:53)
        at javax.security.sasl.Sasl.createSaslClient(Sasl.java:362)
        at org.apache.thrift.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
        at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient$UgiSaslClientTransport.<init>(SentryPolicyServiceClient.java:84)
        at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient.<init>(SentryPolicyServiceClient.java:144)
        at org.apache.sentry.provider.db.SimpleDBProviderBackend.<init>(SimpleDBProviderBackend.java:52)
        at org.apache.sentry.provider.db.SimpleDBProviderBackend.<init>(SimpleDBProviderBackend.java:48)
        ... 31 more
Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0
        major string: Invalid credentials
        minor string: SubjectCredFinder: no JAAS Subject
        at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:83)
        at com.ibm.security.jgss.mech.krb5.Krb5Credential$SubjectCredFinder.run(Krb5Credential.java:1126)
        at java.security.AccessController.doPrivileged(AccessController.java:330)
        at com.ibm.security.jgss.mech.krb5.Krb5Credential.getClientCredsFromSubject(Krb5Credential.java:816)
        at com.ibm.security.jgss.mech.krb5.Krb5Credential.getCredentials(Krb5Credential.java:388)
        at com.ibm.security.jgss.mech.krb5.Krb5Credential.init(Krb5Credential.java:196)
 
This is because IBM JDK requires valid kerberos credentials in place when creating Sasl client.


  was:
There are multiple testcase failures that are related to the UDF.

1.TestPrivilegesAtFunctionScope.testUdfWhiteList:162 Expected SQLException for 'SELECT  reflect('java.net.URLDecoder',
'decode', 'http://www.apache.org', 'utf-8'), value FROM tab1'

2. TestDbPrivilegesAtFunctionScope>TestPrivilegesAtFunctionScope.testUdfWhiteList:162 Expected
SQLException for 'SELECT  reflect('java.net.URLDecoder', 'decode', 'http://www.apache.org',
'utf-8'), value FROM tab1'

3. TestDbPrivilegesAtDatabaseScope>TestPrivilegesAtDatabaseScope.testAllPrivilegeOnObjectOwnedByAdmin:276
Expected SQL exception

         Labels: newbie  (was: )
        Summary: Can not  connect to sentry service using IBM JDK  when keberos is enabled
 (was: CLONE - Sentry + Hive 0.13 integration test failure TestPrivilegesAtFunctionScope)

> Can not  connect to sentry service using IBM JDK  when keberos is enabled
> -------------------------------------------------------------------------
>
>                 Key: SENTRY-492
>                 URL: https://issues.apache.org/jira/browse/SENTRY-492
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.0
>            Reporter: Ruiming Zhou
>            Assignee: Ruiming Zhou
>              Labels: newbie
>             Fix For: 1.5.0
>
>
> while connecting to the sentry service with keberos is enabled using IBM JDK, it failed
because of the exceptions from the salsclient creation.  
> Caused by: javax.security.sasl.SaslException: Failure to initialize security context
[Caused by org.ietf.jgss.GSSException, major code: 13, minor code: 0
>         major string: Invalid credentials
>         minor string: SubjectCredFinder: no JAAS Subject]
>         at com.ibm.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:131)
>         at com.ibm.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:53)
>         at javax.security.sasl.Sasl.createSaslClient(Sasl.java:362)
>         at org.apache.thrift.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
>         at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient$UgiSaslClientTransport.<init>(SentryPolicyServiceClient.java:84)
>         at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient.<init>(SentryPolicyServiceClient.java:144)
>         at org.apache.sentry.provider.db.SimpleDBProviderBackend.<init>(SimpleDBProviderBackend.java:52)
>         at org.apache.sentry.provider.db.SimpleDBProviderBackend.<init>(SimpleDBProviderBackend.java:48)
>         ... 31 more
> Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0
>         major string: Invalid credentials
>         minor string: SubjectCredFinder: no JAAS Subject
>         at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:83)
>         at com.ibm.security.jgss.mech.krb5.Krb5Credential$SubjectCredFinder.run(Krb5Credential.java:1126)
>         at java.security.AccessController.doPrivileged(AccessController.java:330)
>         at com.ibm.security.jgss.mech.krb5.Krb5Credential.getClientCredsFromSubject(Krb5Credential.java:816)
>         at com.ibm.security.jgss.mech.krb5.Krb5Credential.getCredentials(Krb5Credential.java:388)
>         at com.ibm.security.jgss.mech.krb5.Krb5Credential.init(Krb5Credential.java:196)
>  
> This is because IBM JDK requires valid kerberos credentials in place when creating Sasl
client. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message