fix up token formatting; one more error code added

Author: steveloughran

sections/errors.md

@@ -117,7 +117,7 @@ an error about checksums.
 
 Rarely seen. Switching kerberos to use TCP rather than UDP makes it go away
 
-In `krb5.conf`:
+In `/etc/krb5.conf`:
 
 ```
 [libdefaults]
@@ -254,6 +254,17 @@ in the client configuration, set `hadoop.security.authentication` to `kerberos`.
 as it shouldn't be used, this document doesn't list it.
 
 
+### `GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))`
+
+The destination thinks the caller is attempting some kind of replay attack
+
+1. The KDC is seeing too many attempts by the caller to authenticate as a specific principal,
+assumes some kind of attack and rejects the request. This can happen if you have too many processes/
+nodes all sharing the same principal. Fix: make sure you have `service/_HOST@REALM` principals
+for all the services, rather than simple `service@REALM` principals. 
+ 
+1. The timestamps of the systems are out of sync, so it looks like an old token be re-issued.
+Check them all, including that of the KDC, make sure NTP is working, etc, etc.
 
 # Hadoop Web/REST APIs
 

sections/hadoop_tokens.md

@@ -74,57 +74,56 @@ identifier
 | Delegation Token | A token which can be passed to another process. |
 
 
- ### Authentication Tokens
+### Authentication Tokens
 
- Authentication Tokens are explicitly issued by services to allow the caller to
- interact with the service without having to re-request tickets from the TGT.
- 
- When an Authentication Tokens expires, the caller must request a new one off the service.
- If the Kerberos ticket to interact with the service has expired, this may include
- re-requesting a ticket off the TGS, or even re-logging in to kerberos to obtain a new TGT.
- 
- As such, they are almost equivalent to Kerberos Tickets -except that it is the 
- distributed services themselves issuing the Authentication Token, not the TGS.
- 
- ### Delegation Tokens
- 
- A delegation token is requested by a client of a service; they can be passed to
- other processes. 
- 
- When the token expires, the original client must request a new delegation token
- and pass it on to the other process, again.
- 
- What is more important is: *
- 
- 1. delegation tokens can be renewed before they expire.
+Authentication Tokens are explicitly issued by services to allow the caller to
+interact with the service without having to re-request tickets from the TGT.
+
+When an Authentication Tokens expires, the caller must request a new one off the service.
+If the Kerberos ticket to interact with the service has expired, this may include
+re-requesting a ticket off the TGS, or even re-logging in to kerberos to obtain a new TGT.
+
+As such, they are almost equivalent to Kerberos Tickets -except that it is the 
+distributed services themselves issuing the Authentication Token, not the TGS.
+
+### Delegation Tokens
+
+A delegation token is requested by a client of a service; they can be passed to
+other processes. 
+
+When the token expires, the original client must request a new delegation token
+and pass it on to the other process, again.
+
+What is more important is: 
+
+* delegation tokens can be renewed before they expire.*
+
+This is a fundamental difference between Kerberos Tickets and Hadoop Delegation Tokens.
+
+Holders of delegation tokens may renew them with a token-specific `TokenRenewer` service,
+so refresh them without needing the Kerberos credentials to log in to kerberos.
+
+More subtly
+
+1. The tokens must be renewed before they expire: once expired, a token is worthless.
+1. Token renewers can be implemented as a Hadoop RPC service, or by other means, *including HTTP*.
+1. Token renewal may simply be the updating of an expiry time in the server, without pushing
+out new tokens to the clients. This scales well when there are many processes across
+the cluster associated with a single application..
+
+For the HDFS Client protocol, the client protocol itself is the token renewer. A client may
+talk to the Namenode using its current token, and request a new one, so refreshing it.
+
+In contrast, the YARN timeline service is a pure REST API, which implements its token renewal over
+HTTP/HTTPS. To refresh the token, the client must issue an HTTP request (a PUT operation, interestingly
+enough), receiving a new token as a response.
+
+Other delegation token renewal mechanisms alongside Hadoop RPC and HTTP could be implemented,
+that is a detail which client applications do not need to care about. All the matters is that
+they have the code to refresh tokens, usually code which lives alongside the RPC/REST client,
+*and keep renewing the tokens on a regularl basis*. Generally this is done by starting
+a thread in the background.
 
- 
- This is a fundamental difference between Kerberos Tickets and Hadoop Delegation Tokens.
- 
- Holders of delegation tokens may renew them with a token-specific `TokenRenewer` service,
- so refresh them without needing the Kerberos credentials to log in to kerberos.
- 
- More subtly
- 
- 1. The tokens must be renewed before they expire: once expired, a token is worthless.
- 1. Token renewers can be implemented as a Hadoop RPC service, or by other means, *including HTTP*.
- 1. Token renewal may simply be the updating of an expiry time in the server, without pushing
- out new tokens to the clients. This scales well when there are many processes across
- the cluster associated with a single application..
- 
- For the HDFS Client protocol, the client protocol itself is the token renewer. A client may
- talk to the Namenode using its current token, and request a new one, so refreshing it.
- 
- In contrast, the YARN timeline service is a pure REST API, which implements its token renewal over
- HTTP/HTTPS. To refresh the token, the client must issue an HTTP request (a PUT operation, interestingly
- enough), receiving a new token as a response.
- 
- Other delegation token renewal mechanisms alongside Hadoop RPC and HTTP could be implemented,
- that is a detail which client applications do not need to care about. All the matters is that
- they have the code to refresh tokens, usually code which lives alongside the RPC/REST client,
- *and keep renewing the tokens on a regularl basis*. Generally this is done by starting
- a thread in the background.
- 
 
 # Delegation Token revocation
 
@@ -145,41 +144,41 @@ can be granted to applications running in the cluster. This explicitly avoid the
 offer that feature?).
 
 ## Example
- 
- Imagine a user deploying a YARN application in a cluster, one which needs
- access to the user's data stored in HDFS. The user would be required to be authenticated with
- the KDC, and have been granted a *Ticket Granting Ticket*; the ticket needed to work with
- the TGS. 
- 
- The client-side launcher of the YARN application would be able to talk to HDFS and the YARN
- resource manager, because the user was logged in to Kerberos. This would be managed in the Hadoop
- RPC layer, requesting tickets to talk to the HDFS NameNode and YARN ResourceManager, if needed.
- 
- To give the YARN application the same rights to HDFS, the client-side application must
- request a Delegation Token to talk to HDFS, a key which is then passed to the YARN application in
- the `ContainerLaunchContext` within the `ApplicationSubmissionContext` used to define the
- application to launch: its required container resources, artifacts to download, "localize",
- environment to set up and command to run.
- 
- The YARN resource manager finds a location for the Application Master, and requests that
- hosts' Node Manager start the container/application. 
- 
- The Node Manager uses the "delegated HDFS token" to download the launch-time resources into
- a local directory space, then executes the application.
- 
- *Somehow*, the HDFS token (and any other supplied tokens) are passed to the application that
- has been launched.
- 
- The launched application master can use this token to interact with HDFS *as the original user*.
- 
- The AM can also pass token(s) on to launched containers, so that they too have access to HDFS.
- 
- 
- The Hadoop Name Node does not need to care whether the caller is the user themselves, the Node Manager
- localizing the container, the launched application or any launched containers. All it does is verify
- that when a caller requests access to the HDFS filesystem metadata or the contents of a file,
- it must have a ticket/token which declares that they are the specific user, and that the token
- is currently considered valid (based on the expiry time and the clock value of the Name Node)
+
+Imagine a user deploying a YARN application in a cluster, one which needs
+access to the user's data stored in HDFS. The user would be required to be authenticated with
+the KDC, and have been granted a *Ticket Granting Ticket*; the ticket needed to work with
+the TGS. 
+
+The client-side launcher of the YARN application would be able to talk to HDFS and the YARN
+resource manager, because the user was logged in to Kerberos. This would be managed in the Hadoop
+RPC layer, requesting tickets to talk to the HDFS NameNode and YARN ResourceManager, if needed.
+
+To give the YARN application the same rights to HDFS, the client-side application must
+request a Delegation Token to talk to HDFS, a key which is then passed to the YARN application in
+the `ContainerLaunchContext` within the `ApplicationSubmissionContext` used to define the
+application to launch: its required container resources, artifacts to download, "localize",
+environment to set up and command to run.
+
+The YARN resource manager finds a location for the Application Master, and requests that
+hosts' Node Manager start the container/application. 
+
+The Node Manager uses the "delegated HDFS token" to download the launch-time resources into
+a local directory space, then executes the application.
+
+*Somehow*, the HDFS token (and any other supplied tokens) are passed to the application that
+has been launched.
+
+The launched application master can use this token to interact with HDFS *as the original user*.
+
+The AM can also pass token(s) on to launched containers, so that they too have access to HDFS.
+
+
+The Hadoop NameNode does not need to care whether the caller is the user themselves, the Node Manager
+localizing the container, the launched application or any launched containers. All it does is verify
+that when a caller requests access to the HDFS filesystem metadata or the contents of a file,
+it must have a ticket/token which declares that they are the specific user, and that the token
+is currently considered valid (based on the expiry time and the clock value of the Name Node)
 
 
 
@@ -330,4 +329,4 @@ work to Oozie to have a keytab and to pass it to Oozie.
 
 ## Weaknesses
 
-1. Any compromised DN can create block tokens.
+1. Any compromised DN can create block tokens.