Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-7049

Error message in UI for impersonated NS when impersonated user is deleted/disabled is cryptic

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.3.0, 3.5.0
    • Fix Version/s: 4.3.1
    • Component/s: Security, UI
    • Labels:
    • Release Notes:
      Improved the error message in the case that a kerberos principal is deleted or keytab is invalid, during impersonation.
    • Rank:
      1|hzy45j:

      Description

      When you create an impersonated NS and then delete the principal or disable the account the programs will fail to run which is expected but the message displayed in UI is very hard to understand and relate to the cause:

      Error Identifier doesn't match expected value (906)

      Here is the stack trace when the program fails:

      2016-08-12 03:10:00,219 - INFO  [netty-executor-18306:c.c.c.s.TokenSecureStoreUpdater@235] - Updated credentials [Kind: HDFS_DELEGATION_TOKEN, Service: 10.128.0.60:8020, Ident: (HDFS_DELEGATION_TOKEN token 74870 for rsinha), Kind: RM_DELEGATION_TOKEN, Service: 10.128.0.60:8032, Ident: (owner=rsinha/something.net@something.NET, renewer=rsinha, realUser=, issueDate=1470971400072, maxDate=1471576200072, sequenceNumber=64798, masterKeyId=8), Kind: MR_DELEGATION_TOKEN, Service: 0.0.0.0:10020, Ident: (owner=rsinha..skipping...
              at sun.reflect.GeneratedMethodAccessor16.invoke(Unknown Source) ~[na:na]
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_75]
              at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_75]
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) ~[na:1.7.0_75]
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) ~[na:1.7.0_75]
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) ~[na:1.7.0_75]
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) ~[na:1.7.0_75]
              at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_75]
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) ~[na:1.7.0_75]
              at javax.security.auth.login.LoginContext.login(LoginContext.java:595) ~[na:1.7.0_75]
              at javax.security.auth.login.LoginContext.login(LoginContext.java:595) ~[na:1.7.0_75]
              at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1135) ~[hadoop-common-2.7.1.2.3.4.7-4.jar:na]
              ... 21 common frames omitted
      Caused by: sun.security.krb5.KrbException: Client not found in Kerberos database (6) - CLIENT_NOT_FOUND
              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82) ~[na:1.7.0_75]
              at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) ~[na:1.7.0_75]
              at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) ~[na:1.7.0_75]
              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) ~[na:1.7.0_75]
              ... 33 common frames omitted
      Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
              at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) ~[na:1.7.0_75]
              at sun.security.krb5.internal.ASRep.init(ASRep.java:65) ~[na:1.7.0_75]
              at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) ~[na:1.7.0_75]
              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) ~[na:1.7.0_75]
              ... 36 common frames omitted
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ali.anwar Ali Anwar
                Reporter:
                rsinha Rohit Sinha
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: