I am using a keytab and setting it up using the kinit command on my windows commandline. I get the message "New ticket is stored in cache file".After that when I run my java application to access the keytab file for the key I get below error.
Authentication attempt failed javax.security.auth.login.LoginException: No key to store
javax.security.auth.login.LoginException: No key to store
at com.sun.security.auth.module.Krb5LoginModule.commit(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
I am trying to connect to the active directory using ldap. Below are the configuration settings:
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=C:\Users\cXXXXXX\Git\gssapi_jaas.conf
-Dsun.security.krb5.debug=true
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is
C:\Users\cXXXXXX\Git\abcd.keytab refreshKrb5Config is false principal is xxxx_dev#xxxx.xxxxxx.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is C:\Users\cXXXXXX\krb5cc_cXXXXXX
DEBUG client principal is xxxx_dev#xxxx.xxxxxx.COM
DEBUG server principal is krbtgt/xxxx.xxxxxx.COM#Txxxx.xxxxxx.COM
DEBUG key type: 23
DEBUG auth time: Mon Jul 01 14:20:21 EDT 2019
DEBUG start time: Mon Jul 01 14:20:21 EDT 2019
DEBUG end time: Tue Jul 02 00:20:21 EDT 2019
DEBUG renew_till time: null
CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xx.xxx.xx
Host address is /xxx:0:0:0:xxxx:xxxx:xxxx:xxxx
KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\windows\krb5.ini
Obtained TGT from LSA: Credentials:
client=sxxxx_dev#xxxx.xxxxxx.COM
server=krbtgt/Txxxx.xxxxxx.COM#Txxxx.xxxxxx.COM
authTime=20190701182021Z
startTime=20190701182021Z
endTime=20190702042021Z
renewTill=null
flags=INITIAL;PRE-AUTHENT
EType (skey)=23
(tkt key)=18
Principal is sxxxx_dev#xxxx.xxxxxx.COM
Before adding the kinit cache fil, I was able to atleast validate the account, then I was having issues with GSSapi security. Trying to resolve that I added the cache and this new problem started to happen
public static void main(String[] args) {
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
/*lc = new LoginContext(Azrm017.class.getName(),
new LuwCallBackHandler());
*/
lc = new LoginContext("Azrm017");
// Attempt authentication
// You might want to do this in a "for" loop to give
// user more than one chance to enter correct username/password
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed " + le);
le.printStackTrace();
System.err.println("Authentication attempt failed " + le.getSuppressed());
System.exit(-1);
}
// 2. Perform JNDI work as logged in subject
NamingEnumeration<SearchResult> ne =
(NamingEnumeration<SearchResult>) Subject.doAs(lc.getSubject(),
new SearchAction());
while(ne.hasMoreElements()) {
System.out.println(">>>> : " + ne.nextElement().getName());
}
//Subject.doAs(lc.getSubject(), new JndiAction(args));
}
}
/**
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
*/
class SearchAction implements java.security.PrivilegedAction {
public Object run() {
// Set up the environment for creating the initial context
Hashtable<String, String> env = new Hashtable<> (11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
String cn = "dn:CN=xxxxxxx,OU=Service xxxxx,OU=Accounts,OU=xxxxx,DC=test,DC=xxxxxx,DC=com";
env.put(Context.PROVIDER_URL, "ldap://test.xxxxxxx.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
env.put("javax.security.sasl.qop", "auth-conf");
DirContext ctx = null;
try {
// Create initial context
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(
new String[] {"displayName", "mail","description", "suSunetID"});
NamingEnumeration<SearchResult> answer =
ctx.search("cn=People, dc=test, dc=xxxxxxxx, dc=com",
"(&(cn=p*)(sn=s*))", ctls);
return answer;
} catch (Exception e) {
e.printStackTrace();
}
// Close the context when we're done
finally {
closeContext(ctx);
}
return null;
}
Attached above
This is a wrong combination of Krb5LoginModule options. If you want an initiator to store a key then that key must be used to acquire the ticket (i.e. useTicketCache should not be true).
Why do you want to store the key? Will the initiator also act as an acceptor? If yes, you should either use the keytab to authenticate (i.e. useTicketCache=false) or go with the ENC-TKT-IN-SKEY way (i.e. storeKey=false).
Related
I'm working on a web service using Ktor 1.6.8 and Exposed 0.39.2.
My application module and database is setup as following:
fun Application.module(testing: Boolean = false) {
val hikariConfig =
HikariConfig().apply {
driverClassName = "org.postgresql.Driver"
jdbcUrl = environment.config.propertyOrNull("ktor.database.url")?.getString()
username = environment.config.propertyOrNull("ktor.database.username")?.getString()
password = environment.config.propertyOrNull("ktor.database.password")?.getString()
maximumPoolSize = 10
isAutoCommit = false
transactionIsolation = "TRANSACTION_REPEATABLE_READ"
validate()
}
val pool = HikariDataSource(hikariConfig)
val db = Database.connect(pool, {}, DatabaseConfig { useNestedTransactions = true })
}
I use ktor-server-test-host, Test Containers and junit 5 to test the service. My test looks similar like below:
#Testcontainers
class SampleApplicationTest{
companion object {
#Container
val postgreSQLContainer = PostgreSQLContainer<Nothing>(DockerImageName.parse("postgres:13.4-alpine")).apply {
withDatabaseName("database_test")
}
}
#Test
internal fun `should make request successfully`() {
withTestApplication({
(environment.config as MapApplicationConfig).apply {
put("ktor.database.url", postgreSQLContainer.jdbcUrl)
put("ktor.database.user", postgreSQLContainer.username)
put("ktor.database.password", postgreSQLContainer.password)
}
module(testing = true)
}) {
handleRequest(...)
}
}
}
I observed an issue that if I ran multiple test classes together, some requests ended up using old Exposed db instance that was setup in a previous test class, causing the test case failed because the underlying database was already stopped.
When I ran one test class at a time, all were running fine.
Please refer to the log below for the error stack trace:
2022-10-01 08:00:36.102 [DefaultDispatcher-worker-5 #request#103] WARN Exposed - Transaction attempt #1 failed: java.sql.SQLTransientConnectionException: HikariPool-4 - Connection is not available, request timed out after 30001ms.. Statement(s): INSERT INTO cards (...)
org.jetbrains.exposed.exceptions.ExposedSQLException: java.sql.SQLTransientConnectionException: HikariPool-4 - Connection is not available, request timed out after 30001ms.
at org.jetbrains.exposed.sql.statements.Statement.executeIn$exposed_core(Statement.kt:49)
at org.jetbrains.exposed.sql.Transaction.exec(Transaction.kt:143)
at org.jetbrains.exposed.sql.Transaction.exec(Transaction.kt:128)
at org.jetbrains.exposed.sql.statements.Statement.execute(Statement.kt:28)
at org.jetbrains.exposed.sql.QueriesKt.insert(Queries.kt:73)
at com.example.application.services.CardService$createCard$row$1.invokeSuspend(CardService.kt:53)
at org.jetbrains.exposed.sql.transactions.experimental.SuspendedKt$suspendedTransactionAsyncInternal$1.invokeSuspend(Suspended.kt:127)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
Caused by: java.sql.SQLTransientConnectionException: HikariPool-4 - Connection is not available, request timed out after 30001ms.
at com.zaxxer.hikari.pool.HikariPool.createTimeoutException(HikariPool.java:695)
at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:197)
at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:162)
at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:100)
at org.jetbrains.exposed.sql.Database$Companion$connect$3.invoke(Database.kt:142)
at org.jetbrains.exposed.sql.Database$Companion$connect$3.invoke(Database.kt:139)
at org.jetbrains.exposed.sql.Database$Companion$doConnect$3.invoke(Database.kt:127)
at org.jetbrains.exposed.sql.Database$Companion$doConnect$3.invoke(Database.kt:128)
at org.jetbrains.exposed.sql.transactions.ThreadLocalTransactionManager$ThreadLocalTransaction$connectionLazy$1.invoke(ThreadLocalTransactionManager.kt:69)
at org.jetbrains.exposed.sql.transactions.ThreadLocalTransactionManager$ThreadLocalTransaction$connectionLazy$1.invoke(ThreadLocalTransactionManager.kt:68)
at kotlin.UnsafeLazyImpl.getValue(Lazy.kt:81)
at org.jetbrains.exposed.sql.transactions.ThreadLocalTransactionManager$ThreadLocalTransaction.getConnection(ThreadLocalTransactionManager.kt:75)
at org.jetbrains.exposed.sql.Transaction.getConnection(Transaction.kt)
at org.jetbrains.exposed.sql.statements.InsertStatement.prepared(InsertStatement.kt:157)
at org.jetbrains.exposed.sql.statements.Statement.executeIn$exposed_core(Statement.kt:47)
... 19 common frames omitted
Caused by: org.postgresql.util.PSQLException: Connection to localhost:49544 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:303)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:51)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:465)
at org.postgresql.Driver.connect(Driver.java:264)
at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:138)
at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:358)
at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:206)
at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:477)
at com.zaxxer.hikari.pool.HikariPool.access$100(HikariPool.java:71)
at com.zaxxer.hikari.pool.HikariPool$PoolEntryCreator.call(HikariPool.java:725)
at com.zaxxer.hikari.pool.HikariPool$PoolEntryCreator.call(HikariPool.java:711)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.net.ConnectException: Connection refused
at java.base/sun.nio.ch.Net.pollConnect(Native Method)
at java.base/sun.nio.ch.Net.pollConnectNow(Net.java:672)
at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:542)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:597)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
I tried to add some cleanup code for Exposed's TransactionManager in my application module as following:
fun Application.module(testing: Boolean = false) {
// ...
val db = Database.connect(pool, {}, DatabaseConfig { useNestedTransactions = true })
if (testing) {
environment.monitor.subscribe(ApplicationStopped) {
TransactionManager.closeAndUnregister(db)
}
}
}
However, the issue still happened, and I also observed additional error as following:
2022-10-01 08:00:36.109 [DefaultDispatcher-worker-5 #request#93] ERROR Application - Unexpected error
java.lang.RuntimeException: database org.jetbrains.exposed.sql.Database#3bf4644c don't have any transaction manager
at org.jetbrains.exposed.sql.transactions.TransactionApiKt.getTransactionManager(TransactionApi.kt:149)
at org.jetbrains.exposed.sql.transactions.experimental.SuspendedKt.closeAsync(Suspended.kt:85)
at org.jetbrains.exposed.sql.transactions.experimental.SuspendedKt.access$closeAsync(Suspended.kt:1)
at org.jetbrains.exposed.sql.transactions.experimental.SuspendedKt$suspendedTransactionAsyncInternal$1.invokeSuspend(Suspended.kt:138)
(Coroutine boundary)
at org.mpierce.ktor.newrelic.KtorNewRelicKt$runPipelineInTransaction$2.invokeSuspend(KtorNewRelic.kt:178)
at org.mpierce.ktor.newrelic.KtorNewRelicKt$setUpNewRelic$2.invokeSuspend(KtorNewRelic.kt:104)
at io.ktor.routing.Routing.executeResult(Routing.kt:154)
at io.ktor.routing.Routing$Feature$install$1.invokeSuspend(Routing.kt:107)
at io.ktor.features.ContentNegotiation$Feature$install$1.invokeSuspend(ContentNegotiation.kt:145)
at io.ktor.features.StatusPages$interceptCall$2.invokeSuspend(StatusPages.kt:102)
at io.ktor.features.StatusPages.interceptCall(StatusPages.kt:101)
at io.ktor.features.StatusPages$Feature$install$2.invokeSuspend(StatusPages.kt:142)
at io.ktor.features.CallLogging$Feature$install$2.invokeSuspend(CallLogging.kt:188)
at io.ktor.server.testing.TestApplicationEngine$callInterceptor$1.invokeSuspend(TestApplicationEngine.kt:296)
at io.ktor.server.testing.TestApplicationEngine$2.invokeSuspend(TestApplicationEngine.kt:50)
Caused by: java.lang.RuntimeException: database org.jetbrains.exposed.sql.Database#3bf4644c don't have any transaction manager
at org.jetbrains.exposed.sql.transactions.TransactionApiKt.getTransactionManager(TransactionApi.kt:149)
at org.jetbrains.exposed.sql.transactions.experimental.SuspendedKt.closeAsync(Suspended.kt:85)
at org.jetbrains.exposed.sql.transactions.experimental.SuspendedKt.access$closeAsync(Suspended.kt:1)
at org.jetbrains.exposed.sql.transactions.experimental.SuspendedKt$suspendedTransactionAsyncInternal$1.invokeSuspend(Suspended.kt:138)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
Could someone show me what could be the issue here with my application code & test setup?
Thanks and regards.
I have a requirement to write Custom UDF for data lookup from Hbase Table .
NOTE : I have done Unit Testing with HIVE . It seems to be working .
But when I use the same UDF Beeline, Its failed . By default Cloudera restricts impersonation and allows only hive user for running queries in Beeline. On Job startup , YarnChild is setting the following delegations tokens.
I want to add token (Kind : HBASE_AUTH_TOKEN ) for dealing with Hbase.
Kind: mapreduce.job
Kind: HDFS_DELEGATION_TOKEN
Kind: kms-dt
I researched and found out how HbaseStorageHandler is using Delegation Token ( i.e HBASE_AUTH_TOKEN ) for Hbase . So I used the same set of functions and its not working either .
Functions from HbasestorageHandler (to obtain tokens to Job ) :
private void addHBaseDelegationToken(Configuration conf, JobConf jconf) throws IOException {
if (User.isHBaseSecurityEnabled(conf)) {
try {
logger.info("isHbaseSecurityEnabled :True ");
User e = User.getCurrent();
logger.info("isHbaseSecurityEnabled :User ==> " + e.toString());
Token authToken = getAuthToken(conf, e);
logger.info("isHbaseSecurityEnabled :AuthToken==> "+authToken.toString());
Job job = new Job(conf);
if(authToken == null) {
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
ugi.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
e.obtainAuthTokenForJob(jconf);
} else {
logger.info("authToken is not null"+authToken.toString());
job.getCredentials().addToken(authToken.getService(), authToken);
}
logger.info("obtained Token /....");
} catch (InterruptedException var5) {
throw new IOException("Error while obtaining hbase delegation token", var5);
}
}
}
private static Token<AuthenticationTokenIdentifier> getAuthToken(Configuration conf, User user) throws IOException, InterruptedException {
ZooKeeperWatcher zkw = new ZooKeeperWatcher(conf, "mr-init-credentials", (Abortable) null);
Token var4;
try {
String e = ZKClusterId.readClusterIdZNode(zkw);
logger.info("====== clusterID : " + e);
var4 = (new AuthenticationTokenSelector()).selectToken(new Text(e), user.getUGI().getTokens());
if (var4 == null) {
logger.info("var4 is null===========================");
} else {
logger.info("====== Hbase Token : " + var4.toString());
}
} catch (KeeperException var8) {
throw new IOException(var8);
} catch (NullPointerException np) {
return null;
} finally {
zkw.close();
}
return var4;
}
After calling addHBaseDelegationToken() in configure() of UDF. I am getting the following exception .I am not sure How I can make hvie user to talk with Hbase as hive.keytab is handled by Cloudera and its secured.
Any Inputs might be helpful. Thanks !
Exception StackTrace :
2018-10-11 04:48:07,625 WARN [main] org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hive (auth:SIMPLE) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
2018-10-11 04:48:07,627 WARN [main] org.apache.hadoop.hbase.ipc.RpcClientImpl: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
2018-10-11 04:48:07,628 FATAL [main] org.apache.hadoop.hbase.ipc.RpcClientImpl: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:181)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:618)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$700(RpcClientImpl.java:163)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:744)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:741)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:741)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:907)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:874)
at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1246)
at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:227)
at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:336)
at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.execService(ClientProtos.java:34118)
at org.apache.hadoop.hbase.protobuf.ProtobufUtil.execService(ProtobufUtil.java:1633)
at org.apache.hadoop.hbase.ipc.RegionCoprocessorRpcChannel$1.call(RegionCoprocessorRpcChannel.java:104)
at org.apache.hadoop.hbase.ipc.RegionCoprocessorRpcChannel$1.call(RegionCoprocessorRpcChannel.java:94)
at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:136)
at org.apache.hadoop.hbase.ipc.RegionCoprocessorRpcChannel.callExecService(RegionCoprocessorRpcChannel.java:107)
at org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel.callBlockingMethod(CoprocessorRpcChannel.java:73)
at org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos$AuthenticationService$BlockingStub.getAuthenticationToken(AuthenticationProtos.java:4512)
at org.apache.hadoop.hbase.security.token.TokenUtil.obtainToken(TokenUtil.java:86)
at org.apache.hadoop.hbase.security.token.TokenUtil$1.run(TokenUtil.java:111)
at org.apache.hadoop.hbase.security.token.TokenUtil$1.run(TokenUtil.java:108)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at org.apache.hadoop.hbase.security.User$SecureHadoopUser.runAs(User.java:340)
at org.apache.hadoop.hbase.security.token.TokenUtil.obtainToken(TokenUtil.java:108)
at com.barclaycardus.hadoop.utils.udfs.HbaseTblLookupUDF.configure(HbaseTblLookupUDF.java:131)
at org.apache.hadoop.hive.ql.exec.MapredContext.setup(MapredContext.java:120)
at org.apache.hadoop.hive.ql.exec.ExprNodeGenericFuncEvaluator.initialize(ExprNodeGenericFuncEvaluator.java:143)
at org.apache.hadoop.hive.ql.exec.Operator.initEvaluators(Operator.java:954)
at org.apache.hadoop.hive.ql.exec.Operator.initEvaluatorsAndReturnStruct(Operator.java:980)
at org.apache.hadoop.hive.ql.exec.SelectOperator.initializeOp(SelectOperator.java:63)
at org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:385)
at org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:469)
at org.apache.hadoop.hive.ql.exec.Operator.initializeChildren(Operator.java:425)
at org.apache.hadoop.hive.ql.exec.TableScanOperator.initializeOp(TableScanOperator.java:196)
at org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:385)
at org.apache.hadoop.hive.ql.exec.MapOperator.initializeOp(MapOperator.java:431)
at org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:385)
at org.apache.hadoop.hive.ql.exec.mr.ExecMapper.configure(ExecMapper.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:106)
at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:75)
at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
at org.apache.hadoop.mapred.MapRunner.configure(MapRunner.java:38)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:106)
at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:75)
at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
at org.apache.hadoop.mapred.MapTask.runOldMapper(MapTask.java:455)
at org.apache.hadoop.mapred.MapTask.run(MapTask.java:343)
at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:164)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:158)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 66 more
Already Tried below options :
https://github.com/apache/oozie/blob/master/core/src/main/java/org/apache/oozie/action/hadoop/HbaseCredentials.java
https://github.com/ibm-research-ireland/sparkoscope/blob/master/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HBaseCredentialProvider.scala
I am trying to connect to Redis Cloud Memcached but get an error (below). I have checked that the username, password, host, and port are correct in the apps.redislabs.com interface. I able to connect if I disable SASL and connect unauthenticated.
How can I diagnose this?
(Using spymemcached 2.11.6.)
import net.spy.memcached.auth.*;
import net.spy.memcached.*;
...
List<InetSocketAddress> addresses = Collections.singletonList(addr);
AuthDescriptor ad = new AuthDescriptor(new String[] { "CRAM-MD5", "PLAIN" },
new PlainCallbackHandler(user, password));
MemcachedClient mc = new MemcachedClient(new ConnectionFactoryBuilder()
.setProtocol(ConnectionFactoryBuilder.Protocol.BINARY)
.setAuthDescriptor(ad).build(),
AddrUtil.getAddresses(host + ":" + port));
The stacktrace:
net.spy.memcached.MemcachedConnection: Added {QA sa=pub-memcache-14154.us-central1-1-1.gce.garantiadata.com/104.197.191.74:14514, #Rops=0, #Wops=0, #iq=0, topRop=null, topWop=null, toWrite=0, interested=0} to connect queue
net.spy.memcached.protocol.binary.BinaryMemcachedNodeImpl: Discarding partially completed op: SASL auth operation
net.spy.memcached.MemcachedConnection: Reconnecting due to exception on {QA sa=pub-memcache-14154.us-central1-1-1.gce.garantiadata.com/104.197.191.74:14514, #Rops=0, #Wops=0, #iq=0, topRop=null, topWop=null, toWrite=0, interested=1}
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:43)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:192)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
at net.spy.memcached.MemcachedConnection.handleReads(MemcachedConnection.java:820)
at net.spy.memcached.MemcachedConnection.handleReadsAndWrites(MemcachedConnection.java:720)
at net.spy.memcached.MemcachedConnection.handleIO(MemcachedConnection.java:683)
at net.spy.memcached.MemcachedConnection.handleIO(MemcachedConnection.java:436)
at net.spy.memcached.MemcachedConnection.run(MemcachedConnection.java:1446)
net.spy.memcached.MemcachedConnection: Closing, and reopening {QA sa=pub-memcache-14154.us-central1-1-1.gce.garantiadata.com/104.197.191.74:14514, #Rops=0, #Wops=0, #iq=0, topRop=null, topWop=null, toWrite=0, interested=1}, attempt 0.
net.spy.memcached.MemcachedConnection: Could not redistribute to another node, retrying primary node for foo.
Lose the "CRAM-MD5" in your AuthDescriptior declaration.
The following works in my tests: (user, pass, and url removed)
AuthDescriptor ad = new AuthDescriptor(new String[] {"PLAIN"}, new PlainCallbackHandler(user, pass));
MemcachedClient mc = null;
try {
mc = new MemcachedClient(
new ConnectionFactoryBuilder()
.setProtocol(ConnectionFactoryBuilder.Protocol.BINARY)
.setAuthDescriptor(ad).build(),
AddrUtil.getAddresses(host + ":" + port ));
} catch (IOException e) {
// handle exception
}
mc.set("foo", 0, "bar");
String value = (String) mc.get("foo");
System.out.println(value);
I am developing jQuery based mobile app and trying to use Single Step authentication using my custom login page. The login page collects loan# and pin from the user and use them to query MS SQL Server database as shown below.
I created SQL adapter to access MS SQL Server database and it works successfully from workspace when I select adapter -> Run As -> Invoke Adapter procedure. But it does not work from my challaengerHandler.js and throws the exception. I already stored the sqljdbc4.jar file into project's server/lib folder.
Here is the contents from adapter.xml
<displayName>LoanInfoMSSQLAdapter</displayName>
<description>LoanInfoMSSQLAdapter</description>
<connectivity>
<connectionPolicy xsi:type="sql:SQLConnectionPolicy">
<!-- Example for using a JNDI data source, replace with actual data source name -->
<!-- <dataSourceJNDIName>java:/data-source-jndi-name</dataSourceJNDIName> -->
<!-- Example for using MySQL connector, do not forget to put the MySQL connector library in the project's lib folder -->
<dataSourceDefinition>
<driverClass>com.microsoft.sqlserver.jdbc.SQLServerDriver</driverClass>
<url>jdbc:sqlserver://9.22.93.21:1433;database=CustDB</url>
<user>lbps</user>
<password>lbps</password>
</dataSourceDefinition>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="5" />
</connectivity>
<!-- Replace this with appropriate procedures -->
<procedure name="getLoanInfoFromDB"/>
Here is the contents from adapter-impl.js
var getLoanInfoStatement = WL.Server.createSQLStatement(
"SELECT account_id, pin, borr_ssn " +
"FROM vw_wcc_cust " +
"WHERE vw_wcc_cust.account_id = ? AND pin = ?;"
);
function getLoanInfoFromDB(loan, pin) {
return WL.Server.invokeSQLStatement({
preparedStatement : getLoanInfoStatement,
parameters : [loan, pin]
});
}
Here is the contents Challangerhandler.js
$("#AuthSubmitButton").bind('click', function () {
WL.Logger.debug("SUBMIT button clicked...");
var loan = $("#AuthLoan").val();
var pin = $("#AuthPin").val();
WL.Logger.debug("AuthLoan = " + loan);
WL.Logger.debug("AuthPin = " + pin);
WL.Logger.debug("Invoking WL.Client.connect() function to check for connectivity...");
var connectOptions = {
onSuccess : function() {
WL.Logger.debug("Device is connected to WL server");
var invocationData = {
adapter : "SetSnapshotAuthAdapter",
procedure : "submitAuthentication",
parameters : [ loan, pin ]
};
SetSnapshotAuthRealmChallengeHandler.submitAdapterAuthentication(invocationData, {});
},
onFailure: function() {
WL.Logger.debug("Device is NOT connected to WL server");
alert("Worklight Server Unavailable. Try your request later-001");
}
};
WL.Client.connect(connectOptions);
});
Here is the contents of submitAuthentication () function for SIngle Step Authentication Adapeter's js file
function submitAuthentication(loan, pin){
WL.Logger.info("Inside submitAuthentication");
WL.Logger.info("Loan = " + loan);
WL.Logger.info("Pin = " + pin);
var loanInfos = WL.Server.invokeSQLStatement({
preparedStatement : getLoanInfoStatement,
parameters : [loan, pin]
});
var username = "seterus";
// if (username === "seterus" && password === "seterus"){
if (loanInfos) {
var userIdentity = {
userId: username,
displayName: username,
attributes: {
foo: "bar",
loan: loan,
pin: pin,
isSuccessful: loanInfos.isSuccessful
}
};
WL.Logger.info("Loan from userIdentity = " + userIdentity.attributes.loan);
WL.Logger.info("Pin from userIdentity = " + userIdentity.attributes.pin);
WL.Server.setActiveUser("SetSnapshotAuthRealm", userIdentity);
WL.Logger.info("Returning authRequired as FALSE to display loan info...");
return {
authRequired: false
};
}
return onAuthRequired(null, "Invalid login credentials");
}
Upon entering the loan# and pin and then slicking Submit button, I get the following exception in the eclipse console view:
[ERROR ] FWLSE0099E: An error occurred while invoking procedure [project SeterusSnapShotJQ]SetSnapshotAuthAdapter/SqlStatementFWLSE0100E: parameters: [project SeterusSnapShotJQ]{
"arr": [
{
"parameters": [
"1111111",
"3333"
],
"preparedStatement": "SELECT account_id, pin, borr_ssn FROM vw_wcc_cust WHERE vw_wcc_cust.account_id = ? AND pin = ?;"
}
]
}
com.worklight.adapters.http.HttpClientContext cannot be cast to java.sql.Connection
FWLSE0101E: Caused by: [project SeterusSnapShotJQ]nulljava.lang.ClassCastException: com.worklight.adapters.http.HttpClientContext cannot be cast to java.sql.Connection
at com.worklight.adapters.sql.SQLQuery.invoke(SQLQuery.java:71)
at com.worklight.integration.model.ProcedureInvoker.invokeProcedure(ProcedureInvoker.java:57)
at com.worklight.integration.model.Procedure.invoke(Procedure.java:166)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:169)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:38)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at com.worklight.integration.model.InvocationContext$DirectExecutorService.execute(InvocationContext.java:284)
at java.util.concurrent.AbstractExecutorService.submit(Unknown Source)
at com.worklight.integration.model.InvocationContext.submit(InvocationContext.java:138)
at com.worklight.integration.model.InvocationContextManager.submitInvocation(InvocationContextManager.java:58)
at com.worklight.integration.services.impl.DataAccessServiceImpl.callProcedure(DataAccessServiceImpl.java:484)
at com.worklight.integration.services.impl.DataAccessServiceImpl.access$100(DataAccessServiceImpl.java:56)
at com.worklight.integration.services.impl.DataAccessServiceImpl$4.execute(DataAccessServiceImpl.java:387)
at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:76)
at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeProcedureInternal(DataAccessServiceImpl.java:384)
at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeDynamicProcedure(DataAccessServiceImpl.java:443)
at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeDynamicProcedure(DataAccessServiceImpl.java:427)
at com.worklight.integration.js.JavaScriptIntegrationLibraryImplementation.invokeDynamicProcedure(JavaScriptIntegrationLibraryImplementation.java:125)
at sun.reflect.GeneratedMethodAccessor206.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
at org.mozilla.javascript.gen._integration_js_16._c_anonymous_19(/integration.js:226)
at org.mozilla.javascript.gen._integration_js_16.call(/integration.js)
at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
at org.mozilla.javascript.gen.C_3A_5CUsers_5CIBM_ADMIN_5CDesktop_5CworkspaceJQuery_5CSeterusSnapShotJQ_5Cadapters_5CSetSnapshotAuthAdapter_SetSnapshotAuthAdapter_impl_js_78._c_submitAuthentication_2(C%3A%5CUsers%5CIBM_ADMIN%5CDesktop%5CworkspaceJQuery%5CSeterusSnapShotJQ%5Cadapters%5CSetSnapshotAuthAdapter/SetSnapshotAuthAdapter-impl.js:57)
at org.mozilla.javascript.gen.C_3A_5CUsers_5CIBM_ADMIN_5CDesktop_5CworkspaceJQuery_5CSeterusSnapShotJQ_5Cadapters_5CSetSnapshotAuthAdapter_SetSnapshotAuthAdapter_impl_js_78.call(C%3A%5CUsers%5CIBM_ADMIN%5CDesktop%5CworkspaceJQuery%5CSeterusSnapShotJQ%5Cadapters%5CSetSnapshotAuthAdapter/SetSnapshotAuthAdapter-impl.js)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
at org.mozilla.javascript.gen.C_3A_5CUsers_5CIBM_ADMIN_5CDesktop_5CworkspaceJQuery_5CSeterusSnapShotJQ_5Cadapters_5CSetSnapshotAuthAdapter_SetSnapshotAuthAdapter_impl_js_78.call(C%3A%5CUsers%5CIBM_ADMIN%5CDesktop%5CworkspaceJQuery%5CSeterusSnapShotJQ%5Cadapters%5CSetSnapshotAuthAdapter/SetSnapshotAuthAdapter-impl.js)
at com.worklight.integration.js.JavaScriptManager.callFunction(JavaScriptManager.java:240)
at com.worklight.integration.js.JavaScriptManager.invokeFunction(JavaScriptManager.java:214)
at com.worklight.integration.js.JavaScriptManager.invokeFunction(JavaScriptManager.java:194)
at com.worklight.integration.services.impl.AdapterManagerImpl.invokeFunction(AdapterManagerImpl.java:104)
at com.worklight.integration.js.JavaScriptProcedureInvoker.invoke(JavaScriptProcedureInvoker.java:42)
at com.worklight.integration.model.ProcedureInvoker.invokeProcedure(ProcedureInvoker.java:57)
at com.worklight.integration.model.Procedure.invoke(Procedure.java:166)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:169)
at com.worklight.integration.model.InvocationContext.call(InvocationContext.java:38)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at com.worklight.server.util.ProjectLocal$1RunnableWrapper.run(ProjectLocal.java:267)
at java.lang.Thread.run(Unknown Source)
com.worklight.common.log.filters.ErrorFilter
I tried to follow the SQL Adapter example along with Single step auth adapter example. The code works fine with Single step auth adapter and hard coded data but it is giving me this problem as soon as I tried to include SQL adapter for hard coded data.
There are some postings which had same issue and I tried to follow there code in implementing this, but I am still not getting the desired the results.
Please let me know if you need anything more. Please forgive me if the code snippets don't come out good in the posting as I am new with Stack Overflow site.
Thanks,
Shailesh
I successfully connected to database and executed the query in the test application. I used the sample exercise for "Advanced adapter usage and mashup" section of Worklight InfoCenter. I used the same style in my actual app and I was successful in retrieving the records from Microsft SQL Server. Thanks for your suggestion. - Shailesh
I was looking for a good ldap library for Dart for connecting Microsoft Active Directory. I found dartdap, but I can't seem to get it working. I'm 100% shure that my CN and password is correct, because I can connect to Active directory for example with lpap browser.
The error I get is:
Uncaught Error: Invalid Credentials (49) msg=80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
The ldap.yaml looks like this (address, password and username scrambled off course)
# LDAP configuration file
# default is used if no connection name is specified
default:
port: 389
host: xxx.xx.com
bindDN: cn=testaccount
password: xxxxxxxx
And the ldaptest.dart looks like this:
void readDataFromLDAPServer() {
var ldapConfig = new LDAPConfiguration("ldap.yaml","default");
var attrs = ["dn", "cn", "objectClass"];
var filter = Filter.substring("cn=A*");
var notFilter = Filter.not(filter);
ldapConfig.getConnection().then( (LDAPConnection ldap) {
ldap.search("dc=example,dc=com", filter, attrs).
listen( (SearchEntry entry) => print('Found $entry'));
// we expect to find non A entries
ldap.search("dc=example,dc=com", notFilter, attrs)
.listen( (SearchEntry entry) {
//print("Not search = ${entry}");
// todo: test entries.
});
});
}
Any idea, what might be wrong?
I am using the code below to successfully bind to a Microsoft AD server:
var host = "ip_address";
var ssl = false;
var port = null;
var bindDN = "accountname#domain.name";
var password = "password";
var connection = new LdapConnection(host: host);
connection.setProtocol(ssl, port);
connection.setAuthentication(bindDN, password);
Please note that my binding code differs from what you are using. I am also using an_ldap client for Dart 2.