Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDDS-10803. HttpServer fails to start with wildcard principal #6631

Merged
merged 2 commits into from
May 4, 2024
Merged

HDDS-10803. HttpServer fails to start with wildcard principal #6631

merged 2 commits into from
May 4, 2024

Conversation

adoroszlai
Copy link
Contributor

@adoroszlai adoroszlai commented May 3, 2024
edited
Loading

What changes were proposed in this pull request?

Fix:

Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/kerby/kerberos/kerb/keytab/Keytab
  at org.apache.hadoop.security.authentication.util.KerberosUtil.getPrincipalNames(KerberosUtil.java:238)
  at org.apache.hadoop.security.authentication.util.KerberosUtil.getPrincipalNames(KerberosUtil.java:257)
  at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:163)
  at org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeAuthHandler(AuthenticationFilter.java:194)
  at org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:180)
  ...
  at org.apache.hadoop.hdds.server.http.HttpServer2.start(HttpServer2.java:1184)
  at org.apache.hadoop.hdds.server.http.BaseHttpServer.start(BaseHttpServer.java:322)

Hadoop's KerberosUtil requires kerb-util to be on the classpath to use Keytab. However, this code path is hit only in specific cases. One of these is when HTTP principal is set to wildcard (*).

Similarly, kerb-core may be required for using PrincipalName.

https://issues.apache.org/jira/browse/HDDS-10803

How was this patch tested?

The patch changes Recon's HTTP principal in ozonesecure acceptance test environment to * to have coverage for this case.

Also verified kerb-util is on the classpath (logged in STARTUP_MSG).

CI:
https://github.com/adoroszlai/ozone/actions/runs/8943525426/job/24569000209
https://github.com/adoroszlai/ozone/actions/runs/8943794693 (with dependency check fixed)

@adoroszlai adoroszlai self-assigned this May 3, 2024
@adoroszlai adoroszlai requested a review from smengcl May 3, 2024 20:49
@adoroszlai
Copy link
Contributor Author

@tanvipenumudy please review

smengcl
smengcl approved these changes May 4, 2024
View reviewed changes
Copy link
Contributor

@smengcl smengcl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @adoroszlai . Can confirm kerb-util is in classpath files now:

$ sed 's/:/\n/g' ./share/ozone/classpath/ozone-datanode.classpath | grep kerb
$HDDS_LIB_JARS_DIR/kerb-core-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-pkix-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-asn1-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-util-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerb-util-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-config-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerb-crypto-1.0.1.jar
$ sed 's/:/\n/g' ./share/ozone/classpath/ozone-manager.classpath | grep kerb 
$HDDS_LIB_JARS_DIR/kerb-core-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-pkix-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-asn1-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-util-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerb-util-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerby-config-1.0.1.jar
$HDDS_LIB_JARS_DIR/kerb-crypto-1.0.1.jar

etc.

@adoroszlai adoroszlai merged commit a15cc3e into apache:master May 4, 2024
39 checks passed
@adoroszlai
Copy link
Contributor Author

Thanks @smengcl for the review.

@adoroszlai adoroszlai deleted the HDDS-10803 branch May 4, 2024 11:33
jojochuang pushed a commit to jojochuang/ozone that referenced this pull request May 29, 2024
@adoroszlai
HDDS-10803. HttpServer fails to start with wildcard principal (apache…
4bac97c 
…#6631)

(cherry picked from commit a15cc3e)
swamirishi pushed a commit to swamirishi/ozone that referenced this pull request Jun 10, 2024
@adoroszlai
CDPD-69563: HDDS-10803. HttpServer fails to start with wildcard princ…
327aea7 
…ipal (apache#6631)

(cherry picked from commit a15cc3e)

Also bumps Kerby to 2.0.3

Change-Id: I06f43ad67fd080b1b318806ce80e4aa523cd9cef
xichen01 pushed a commit to xichen01/ozone that referenced this pull request Jul 17, 2024
@adoroszlai @xichen01
HDDS-10803. HttpServer fails to start with wildcard principal (apache…
c1db374 
…#6631)

(cherry picked from commit a15cc3e)
xichen01 pushed a commit to xichen01/ozone that referenced this pull request Jul 17, 2024
@adoroszlai @xichen01
HDDS-10803. HttpServer fails to start with wildcard principal (apache…
a3368f0 
…#6631)

(cherry picked from commit a15cc3e)
xichen01 pushed a commit to xichen01/ozone that referenced this pull request Jul 17, 2024
@adoroszlai @xichen01
HDDS-10803. HttpServer fails to start with wildcard principal (apache…
c726246 
…#6631)

(cherry picked from commit a15cc3e)
xichen01 pushed a commit to xichen01/ozone that referenced this pull request Jul 18, 2024
@adoroszlai @xichen01
HDDS-10803. HttpServer fails to start with wildcard principal (apache…
9b36195 
…#6631)

(cherry picked from commit a15cc3e)
xichen01 pushed a commit to xichen01/ozone that referenced this pull request Jul 18, 2024
@adoroszlai @xichen01
HDDS-10803. HttpServer fails to start with wildcard principal (apache…
0690cff 
…#6631)

(cherry picked from commit a15cc3e)
@xichen01 xichen01 mentioned this pull request Jul 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smengcl smengcl smengcl approved these changes

Assignees

@adoroszlai adoroszlai

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adoroszlai @smengcl