From commits-return-3726-apmail-sentry-commits-archive=sentry.apache.org@sentry.incubator.apache.org Mon Oct 6 22:36:00 2014 Return-Path: X-Original-To: apmail-sentry-commits-archive@minotaur.apache.org Delivered-To: apmail-sentry-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6670A178F4 for ; Mon, 6 Oct 2014 22:36:00 +0000 (UTC) Received: (qmail 50046 invoked by uid 500); 6 Oct 2014 22:36:00 -0000 Delivered-To: apmail-sentry-commits-archive@sentry.apache.org Received: (qmail 49998 invoked by uid 500); 6 Oct 2014 22:36:00 -0000 Mailing-List: contact commits-help@sentry.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sentry.incubator.apache.org Delivered-To: mailing list commits@sentry.incubator.apache.org Received: (qmail 49988 invoked by uid 99); 6 Oct 2014 22:36:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2014 22:36:00 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 06 Oct 2014 22:35:37 +0000 Received: (qmail 49380 invoked by uid 99); 6 Oct 2014 22:35:35 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2014 22:35:35 +0000 Date: Mon, 6 Oct 2014 22:35:35 +0000 (UTC) From: "Ruiming Zhou (JIRA)" To: commits@sentry.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (SENTRY-492) Can not connect to sentry service using IBM JDK when keberos is enabled MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/SENTRY-492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ruiming Zhou updated SENTRY-492: -------------------------------- Description: while connecting to the sentry service with keberos is enabled using IBM JDK, it failed because of the exceptions from the salsclient creation. Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: SubjectCredFinder: no JAAS Subject] at com.ibm.security.sasl.gsskerb.GssKrb5Client.(GssKrb5Client.java:131) at com.ibm.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:53) at javax.security.sasl.Sasl.createSaslClient(Sasl.java:362) at org.apache.thrift.transport.TSaslClientTransport.(TSaslClientTransport.java:72) at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient$UgiSaslClientTransport.(SentryPolicyServiceClient.java:84) at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient.(SentryPolicyServiceClient.java:144) at org.apache.sentry.provider.db.SimpleDBProviderBackend.(SimpleDBProviderBackend.java:52) at org.apache.sentry.provider.db.SimpleDBProviderBackend.(SimpleDBProviderBackend.java:48) ... 31 more Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: SubjectCredFinder: no JAAS Subject at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:83) at com.ibm.security.jgss.mech.krb5.Krb5Credential$SubjectCredFinder.run(Krb5Credential.java:1126) at java.security.AccessController.doPrivileged(AccessController.java:330) at com.ibm.security.jgss.mech.krb5.Krb5Credential.getClientCredsFromSubject(Krb5Credential.java:816) at com.ibm.security.jgss.mech.krb5.Krb5Credential.getCredentials(Krb5Credential.java:388) at com.ibm.security.jgss.mech.krb5.Krb5Credential.init(Krb5Credential.java:196) This is because IBM JDK requires valid kerberos credentials in place when creating Sasl client. was: There are multiple testcase failures that are related to the UDF. 1.TestPrivilegesAtFunctionScope.testUdfWhiteList:162 Expected SQLException for 'SELECT reflect('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM tab1' 2. TestDbPrivilegesAtFunctionScope>TestPrivilegesAtFunctionScope.testUdfWhiteList:162 Expected SQLException for 'SELECT reflect('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM tab1' 3. TestDbPrivilegesAtDatabaseScope>TestPrivilegesAtDatabaseScope.testAllPrivilegeOnObjectOwnedByAdmin:276 Expected SQL exception Labels: newbie (was: ) Summary: Can not connect to sentry service using IBM JDK when keberos is enabled (was: CLONE - Sentry + Hive 0.13 integration test failure TestPrivilegesAtFunctionScope) > Can not connect to sentry service using IBM JDK when keberos is enabled > ------------------------------------------------------------------------- > > Key: SENTRY-492 > URL: https://issues.apache.org/jira/browse/SENTRY-492 > Project: Sentry > Issue Type: Bug > Affects Versions: 1.5.0 > Reporter: Ruiming Zhou > Assignee: Ruiming Zhou > Labels: newbie > Fix For: 1.5.0 > > > while connecting to the sentry service with keberos is enabled using IBM JDK, it failed because of the exceptions from the salsclient creation. > Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by org.ietf.jgss.GSSException, major code: 13, minor code: 0 > major string: Invalid credentials > minor string: SubjectCredFinder: no JAAS Subject] > at com.ibm.security.sasl.gsskerb.GssKrb5Client.(GssKrb5Client.java:131) > at com.ibm.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:53) > at javax.security.sasl.Sasl.createSaslClient(Sasl.java:362) > at org.apache.thrift.transport.TSaslClientTransport.(TSaslClientTransport.java:72) > at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient$UgiSaslClientTransport.(SentryPolicyServiceClient.java:84) > at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient.(SentryPolicyServiceClient.java:144) > at org.apache.sentry.provider.db.SimpleDBProviderBackend.(SimpleDBProviderBackend.java:52) > at org.apache.sentry.provider.db.SimpleDBProviderBackend.(SimpleDBProviderBackend.java:48) > ... 31 more > Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0 > major string: Invalid credentials > minor string: SubjectCredFinder: no JAAS Subject > at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:83) > at com.ibm.security.jgss.mech.krb5.Krb5Credential$SubjectCredFinder.run(Krb5Credential.java:1126) > at java.security.AccessController.doPrivileged(AccessController.java:330) > at com.ibm.security.jgss.mech.krb5.Krb5Credential.getClientCredsFromSubject(Krb5Credential.java:816) > at com.ibm.security.jgss.mech.krb5.Krb5Credential.getCredentials(Krb5Credential.java:388) > at com.ibm.security.jgss.mech.krb5.Krb5Credential.init(Krb5Credential.java:196) > > This is because IBM JDK requires valid kerberos credentials in place when creating Sasl client. -- This message was sent by Atlassian JIRA (v6.3.4#6332)