KerberosAuthenticationIT authentication test failures

[benwtrent]

Build scan:

7.6 https://gradle-enterprise.elastic.co/s/3olzbtxfidvds
7.8 https://gradle-enterprise.elastic.co/s/22optb3r7tq24
7.7 https://gradle-enterprise.elastic.co/s/4225d2fztqtfg

Repro line:

Three tests fail:

./gradlew ':x-pack:qa:kerberos-tests:integTestRunner' --tests "org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByKeytab" -Dtests.seed=461C01080EE1DB8B -Dtests.security.manager=true -Dtests.locale=es-EC -Dtests.timezone=IET -Dcompiler.java=13


./gradlew ':x-pack:qa:kerberos-tests:integTestRunner' --tests "org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByUsernamePassword" -Dtests.seed=461C01080EE1DB8B -Dtests.security.manager=true -Dtests.locale=es-EC -Dtests.timezone=IET -Dcompiler.java=13


./gradlew ':x-pack:qa:kerberos-tests:integTestRunner' --tests "org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testGetOauth2TokenInExchangeForKerberosTickets" -Dtests.seed=461C01080EE1DB8B -Dtests.security.manager=true -Dtests.locale=es-EC -Dtests.timezone=IET -Dcompiler.java=13

Reproduces locally?:
No
Applicable branches:

7.6
7.7
7.8
master

Failure excerpt:

All tests fail with a similar NPE.

org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT > testLoginByKeytab FAILED
    java.lang.RuntimeException: javax.security.auth.login.LoginException: java.lang.NullPointerException
    	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
    	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.lambda$login$1(SpnegoHttpClientConfigCallbackHandler.java:168)
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
    	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.login(SpnegoHttpClientConfigCallbackHandler.java:155)
    	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.setupSpnegoAuthSchemeSupport(SpnegoHttpClientConfigCallbackHandler.java:126)
    	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.customizeHttpClient(SpnegoHttpClientConfigCallbackHandler.java:115)
    	at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:215)
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
    	at org.elasticsearch.client.RestClientBuilder.build(RestClientBuilder.java:191)
    	at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.buildRestClientForKerberos(KerberosAuthenticationIT.java:190)
    	at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.executeRequestAndVerifyResponse(KerberosAuthenticationIT.java:156)
    	at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByKeytab(KerberosAuthenticationIT.java:98)
    	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
    	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    	at java.base/java.lang.reflect.Method.invoke(Method.java:564)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:938)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:974)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:988)
    	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
    	at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:49)
    	at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45)
    	at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:48)
    	at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64)
    	at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47)
    	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
    	at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
    	at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817)
    	at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:832)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:883)
    	at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:894)
    	at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45)
    	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
    	at org.apache.lucene.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:41)
    	at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
    	at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
    	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
    	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
    	at org.apache.lucene.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53)
    	at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47)
    	at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64)
    	at org.apache.lucene.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:54)
    	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
    	at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
    	at java.base/java.lang.Thread.run(Thread.java:832)
        at __randomizedtesting.SeedInfo.seed([461C01080EE1DB8B:297FA9053AE957CC]:0)
        at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.setupSpnegoAuthSchemeSupport(SpnegoHttpClientConfigCallbackHandler.java:141)
        at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.customizeHttpClient(SpnegoHttpClientConfigCallbackHandler.java:115)
        at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:215)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
        at org.elasticsearch.client.RestClientBuilder.build(RestClientBuilder.java:191)
        at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.buildRestClientForKerberos(KerberosAuthenticationIT.java:190)
        at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.executeRequestAndVerifyResponse(KerberosAuthenticationIT.java:156)
        at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByKeytab(KerberosAuthenticationIT.java:98)

        Caused by:
        javax.security.auth.login.LoginException: java.lang.NullPointerException
        	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)
        	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
        	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
        	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
        	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)
        	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)
        	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
        	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
        	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
        	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
        	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
        	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
        	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
        	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.lambda$login$1(SpnegoHttpClientConfigCallbackHandler.java:168)
        	at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
        	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.login(SpnegoHttpClientConfigCallbackHandler.java:155)
        	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.setupSpnegoAuthSchemeSupport(SpnegoHttpClientConfigCallbackHandler.java:126)
        	at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.customizeHttpClient(SpnegoHttpClientConfigCallbackHandler.java:115)
        	at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:215)
        	at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
        	at org.elasticsearch.client.RestClientBuilder.build(RestClientBuilder.java:191)
        	at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.buildRestClientForKerberos(KerberosAuthenticationIT.java:190)
        	at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.executeRequestAndVerifyResponse(KerberosAuthenticationIT.java:156)
        	at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByKeytab(KerberosAuthenticationIT.java:98)
        	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
        	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:938)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:974)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:988)
        	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        	at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:49)
        	at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45)
        	at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:48)
        	at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64)
        	at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47)
        	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        	at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
        	at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817)
        	at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:832)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:883)
        	at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:894)
        	at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45)
        	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        	at org.apache.lucene.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:41)
        	at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
        	at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
        	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        	at org.apache.lucene.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53)
        	at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47)
        	at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64)
        	at org.apache.lucene.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:54)
        	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        	at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
        	at java.base/java.lang.Thread.run(Thread.java:832)
            at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)
            at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
            at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
            at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
            at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
            at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
            at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.lambda$login$1(SpnegoHttpClientConfigCallbackHandler.java:168)
            at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
            at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.login(SpnegoHttpClientConfigCallbackHandler.java:155)
            at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.setupSpnegoAuthSchemeSupport(SpnegoHttpClientConfigCallbackHandler.java:126)
            ... 7 more

[elasticmachine]

Pinging @elastic/es-security (:Security/Authentication)

[jkakavas]

These started failing in May 9 only with runtime java set to 15 ( this is why @benwtrent can't reproduce them I guess, the repro line above is missing the -Druntime.java=15 but the build plugin output has this as it should ) . Now, JDK 15 build 22 was released on May 6 and I guess we picked it up around May 9 we actually picked it up on May 7. This is an NPE in the sun.security.krb5.KrbKdcRep class so I guess it's most probably a JDK bug rather one of our own. I will look at this over the next week or so and file the bug upstream if needed.

[benwtrent]

Here is a different test failure, but also JDK15 + kerberos NPE: https://gradle-enterprise.elastic.co/s/hgrh76kyapze2

java.io.IOException: Login failure for hdfs/[email protected] from keytab /dev/shm/elastic+elasticsearch+7.x+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/test/fixtures/krb5kdc-fixture/testfixtures_shared/shared/hdfs/keytabs/hdfs_hdfs.build.elastic.co.keytab: javax.security.auth.login.LoginException: java.lang.NullPointerException
    	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)
    
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1066)
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)
    Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
    	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)
    
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)
    	... 9 more

[markharwood]

Another JDK15 + Kerberos NPE today https://gradle-enterprise.elastic.co/s/w46qi55v5ga2k

REPRODUCE WITH: ./gradlew ':x-pack:qa:kerberos-tests:integTestRunner' --tests "org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByKeytab" -Dtests.seed=5473F4144376DD6D -Dtests.security.manager=true -Dtests.locale=en-ZA -Dtests.timezone=Hongkong -Dcompiler.java=13 |  

java.lang.RuntimeException: javax.security.auth.login.LoginException: java.lang.NullPointerException |  
-- | --
  | at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149) |  
  | at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) |  
  | at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121) |  
  | at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310) |  
  | at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) |  
  | at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754) |  
  | at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) |  
  | at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) |  
  | at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) |  
  | at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) |  
  | at java.base/java.security.AccessController.doPrivileged(AccessController.java:691) |  
  | at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) |  
  | at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.lambda$login$1(SpnegoHttpClientConfigCallbackHandler.java:168) |  
  | at java.base/java.security.AccessController.doPrivileged(AccessController.java:554) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.login(SpnegoHttpClientConfigCallbackHandler.java:155) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.setupSpnegoAuthSchemeSupport(SpnegoHttpClientConfigCallbackHandler.java:126) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.customizeHttpClient(SpnegoHttpClientConfigCallbackHandler.java:115) |  
  | at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:215) |  
  | at java.base/java.security.AccessController.doPrivileged(AccessController.java:312) |  
  | at org.elasticsearch.client.RestClientBuilder.build(RestClientBuilder.java:191) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.buildRestClientForKerberos(KerberosAuthenticationIT.java:190) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.executeRequestAndVerifyResponse(KerberosAuthenticationIT.java:156) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByKeytab(KerberosAuthenticationIT.java:98) |  
  | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) |  
  | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) |  
  | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) |  
  | at java.base/java.lang.reflect.Method.invoke(Method.java:564) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:938) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:974) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:988) |  
  | at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) |  
  | at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:49) |  
  | at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) |  
  | at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:48) |  
  | at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) |  
  | at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) |  
  | at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) |  
  | at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) |  
  | at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817) |  
  | at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:832) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:883) |  
  | at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:894) |  
  | at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) |  
  | at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) |  
  | at org.apache.lucene.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:41) |  
  | at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40) |  
  | at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40) |  
  | at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) |  
  | at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) |  
  | at org.apache.lucene.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53) |  
  | at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) |  
  | at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) |  
  | at org.apache.lucene.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:54) |  
  | at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) |  
  | at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) |  
  | at java.base/java.lang.Thread.run(Thread.java:832) |  
  | at __randomizedtesting.SeedInfo.seed([5473F4144376DD6D:3B105C19777E512A]:0) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.setupSpnegoAuthSchemeSupport(SpnegoHttpClientConfigCallbackHandler.java:141) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.SpnegoHttpClientConfigCallbackHandler.customizeHttpClient(SpnegoHttpClientConfigCallbackHandler.java:115) |  
  | at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:215) |  
  | at java.base/java.security.AccessController.doPrivileged(AccessController.java:312) |  
  | at org.elasticsearch.client.RestClientBuilder.build(RestClientBuilder.java:191) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.buildRestClientForKerberos(KerberosAuthenticationIT.java:190) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.executeRequestAndVerifyResponse(KerberosAuthenticationIT.java:156) |  
  | at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationIT.testLoginByKeytab(KerberosAuthenticationIT.java:98) |  
  |   |  
  | Caused by: |  
  | javax.security.auth.login.LoginException: java.lang.NullPointerException |  
  | at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149) |  
  | at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) |  
  | at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121) |  
  | at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310) |  
  | at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) |  
  | at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754) |  
  | at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) |  
  | at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) |  
  | at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) |  
  | at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)

[jkakavas]

I spent 30 mins on it today out of curiosity. It seems this is actually a bug in sun.security.krb5.KrbKdcRep that was surfaced by the changes to ReferralsState in https://hg.openjdk.java.net/jdk/jdk/rev/142d090cab77 . I don't know enough about the mentioned RFCs in order to make a proper bug request upstream now, and given this might be a JDK15 regression that doesn't affect us now, I will take the time at some point over the next few weeks to do so

[gwbrown]

I believe this same issue is causing failures on the JVM matrix builds, as the HDFS fixture depends on Kerberos and also hits this same failure. Sample build scans:
master
7.8
7.7

All on JDK15.

The error appears to be the same: LoginException caused by a NullPointerException in java.security.jgss/sun.security.krb5.KrbKdcRep.check with the same stack trace as above.

Very log failure log

secureHdfsFixture configuration:	
-----------------------------------------	
  cwd: /dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture/cwd	
  command: /var/lib/jenkins/.java/openjdk15/bin/java -Djava.security.krb5.conf=/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/test/fixtures/krb5kdc-fixture/testfixtures_shared/shared/hdfs/krb5.conf hdfs.MiniHDFS /dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture hdfs/[email protected] /dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/test/fixtures/krb5kdc-fixture/testfixtures_shared/shared/hdfs/keytabs/hdfs_hdfs.build.elastic.co.keytab	
  environment:	
    CLASSPATH: [...omitted for brevity]
	
  [run]	
    "/var/lib/jenkins/.java/openjdk15/bin/java" "$@" > run.log 2>&1 ; if [ $? != 0 ]; then touch run.failed; fi	
secureHdfsFixture output:	
-----------------------------------------	
  failure marker exists: true	
  pid file exists: false	
  ports file exists: false	
	
  [log]	
    Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8	
    WARNING: An illegal reflective access operation has occurred	
    WARNING: Illegal reflective access by org.apache.hadoop.security.authentication.util.KerberosUtil (file:/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-auth/2.8.5/63fe1f9d9ef6bdf2cb52dfeb28ed8faf78e4b85c/hadoop-auth-2.8.5.jar) to method sun.security.krb5.Config.getInstance()	
    WARNING: Please consider reporting this to the maintainers of org.apache.hadoop.security.authentication.util.KerberosUtil	
    WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations	
    WARNING: All illegal access operations will be denied in a future release	
    2020-05-27 16:34:15,386 WARN  [main] util.NativeCodeLoader (NativeCodeLoader.java:<clinit>(62)) - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable	
    2020-05-27 16:34:15,587 INFO  [main] hdfs.MiniDFSCluster (MiniDFSCluster.java:<init>(460)) - starting cluster: numNameNodes=1, numDataNodes=1	
    2020-05-27 16:34:16,549 ERROR [main] hdfs.MiniDFSCluster (MiniDFSCluster.java:initMiniDFSCluster(835)) - IOE creating namenodes. Permissions dump:	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture/hdfs-data/data': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture/hdfs-data/data	
    	permissions: ----	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture/hdfs-data': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture/hdfs-data	
    	permissions: ----	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures/secureHdfsFixture	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build/fixtures	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs/build	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins/repository-hdfs	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/plugins	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA	
    	permissions: drwx	
    path '/dev/shm/elastic+elasticsearch+master+matrix-java-periodic': 	
    	absolute:/dev/shm/elastic+elasticsearch+master+matrix-java-periodic	
    	permissions: drwx	
    path '/dev/shm': 	
    	absolute:/dev/shm	
    	permissions: drwx	
    path '/dev': 	
    	absolute:/dev	
    	permissions: dr-x	
    path '/': 	
    	absolute:/	
    	permissions: dr-x	
    	
    java.io.IOException: Login failure for hdfs/[email protected] from keytab /dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/test/fixtures/krb5kdc-fixture/testfixtures_shared/shared/hdfs/keytabs/hdfs_hdfs.build.elastic.co.keytab: javax.security.auth.login.LoginException: java.lang.NullPointerException	
    	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)	
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)	
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)	
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)	
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)	
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)	
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)	
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)	
    	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1066)	
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)	
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)	
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)	
    Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException	
    	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)	
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)	
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)	
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)	
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)	
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)	
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)	
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)	
    	
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)	
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)	
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)	
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)	
    	... 9 more	
    2020-05-27 16:34:16,556 INFO  [main] hdfs.MiniDFSCluster (MiniDFSCluster.java:shutdown(1789)) - Shutting down the Mini HDFS Cluster	
    Exception in thread "main" java.io.IOException: Login failure for hdfs/[email protected] from keytab /dev/shm/elastic+elasticsearch+master+matrix-java-periodic/ES_RUNTIME_JAVA/openjdk15/nodes/general-purpose/test/fixtures/krb5kdc-fixture/testfixtures_shared/shared/hdfs/keytabs/hdfs_hdfs.build.elastic.co.keytab: javax.security.auth.login.LoginException: java.lang.NullPointerException	
    	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)	
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)	
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)	
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)	
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)	
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)	
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)	
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)	
    	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1066)	
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)	
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)	
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)	
    Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException	
    	at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:149)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)	
    	at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)	
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)	
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)	
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)	
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)	
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)	
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)	
    	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:1081)	
    	at org.apache.hadoop.hdfs.server.namenode.NameNode.format(NameNode.java:376)	
    	at org.apache.hadoop.hdfs.DFSTestUtil.formatNameNode(DFSTestUtil.java:233)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.createNameNodesAndSetConf(MiniDFSCluster.java:1027)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.initMiniDFSCluster(MiniDFSCluster.java:830)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster.<init>(MiniDFSCluster.java:485)	
    	at org.apache.hadoop.hdfs.MiniDFSCluster$Builder.build(MiniDFSCluster.java:444)	
    	at hdfs.MiniHDFS.main(MiniHDFS.java:119)	
    	
    	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)	
    	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)	
    	at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)	
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)	
    	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)	
    	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1057)	
    	... 9 more

[mark-vieira]

So this continues to fail on the JDK 15 builds. What should we do here? Should we disable this fixture and associated tests on Java 15? I'm ok with doing so temporarily but we should put some level of effort into figuring out if there's some kind of Java 15 bug given our trend of moving to the latest JDK on release and Java 15 GA only three months away.

Here's the last week's failures for this issue:
https://gradle-enterprise.elastic.co/scans/failures?failures.failureClassification=non_verification&failures.failureMessage=Execution%20failed%20for%20task%20%27:plugins:repository-hdfs:secureHdfsFixture%27.%0A*&list.size=50&list.sortColumn=startTime&list.sortOrder=desc&search.buildToolType=gradle&search.buildToolType=maven&search.relativeStartTime=P7D&search.tags=CI&search.timeZoneId=America/Los_Angeles

[jkakavas]

I'll get to it in the next couple of days ,it's on my radar

[jaymode]

This is likely caused by https://bugs.openjdk.java.net/browse/JDK-8246193, which should be fixed in the next JDK 15 build

[jkakavas]

Thanks @jaymode , yes this raised bug agrees with what I saw in my initial analysis too. Happy our waiting game paid off :)

[cbuescher]

I'm seeing several similar looking failures today, seems to have started some time around yesterday on 7.8 to 7.x branches.
Here are the most recent ones. Since the error seems JDK related I add that here too:

7.8: https://gradle-enterprise.elastic.co/s/u3obnnvb4b2a2 (ES_RUNTIME_JAVA=zulu8)
7.x: https://gradle-enterprise.elastic.co/s/jphxevpnnnuza (ES_RUNTIME_JAVA=zulu8)
7.8: https://gradle-enterprise.elastic.co/s/yoyhwjc6dfwgo (ES_RUNTIME_JAVA=zulu8)

There are some from yesterday (20.7) that uses ES_RUNTIME_JAVA=openjdk15 as well:
https://gradle-enterprise.elastic.co/s/lnzxvc3yg54b2
https://gradle-enterprise.elastic.co/s/xhkyix4cuetti

I wonder if these builds were added later. There seems to be an uptic starting yesterday. Also I wonder why #56767 doesn't seem to work to supress the last two failures on JDK 15.

[cbuescher]

This is probably related too: https://gradle-enterprise.elastic.co/s/xy7b6zqcjegva/console-log?task=:plugins:repository-hdfs:secureHdfsFixture

[mark-vieira]

The Zulu and JDK 15 builds have been around for some time now. It's possible a recent update to those JDKs is causing issues. JDK 15 especially since we are on EA builds get's updated regularly.

[probakowski]

Another instance of this: https://gradle-enterprise.elastic.co/s/fh2hmhsjyc6ii/tests/failed

[dnhatn]

Another instance: https://gradle-enterprise.elastic.co/s/b2phxw4foj3xg/console-log/raw

[ywangd]

There are some from yesterday (20.7) that uses ES_RUNTIME_JAVA=openjdk15 as well:
https://gradle-enterprise.elastic.co/s/lnzxvc3yg54b2
https://gradle-enterprise.elastic.co/s/xhkyix4cuetti

I wonder if these builds were added later. There seems to be an uptic starting yesterday. Also I wonder why #56767 doesn't seem to work to supress the last two failures on JDK 15.

These two failures are actually from May 15 and they are both before the suppress (#56767). The new failures are all about zulu8, which I am still digging.

[tvernum]

We've previously seen that Zulu is faster at releasing builds with backported changes than other OpenJDK providers, so it may be that they've merged whatever broke in JDK15.

If so, that sounds bad, and we need to get on top of it quickly.

[ywangd]

Zulu is faster at releasing builds

This is true. This is caused by the same bug that @jaymode linked before, i.e. https://bugs.openjdk.java.net/browse/JDK-8246193

The bug affects openjdk 8u262 as well, which I don't think is officially released (I can only find 8u261 from openjdk website). But it made its way to Zulu 8.48 which is based on 8u262. It was released on July 22 and this timeline is consistent with the recent failures. The previous Zulu 8.46 (8u252) works fine. The bug is fixed in 8u271. So next Zulu 8 release should be fine. In the meantime, I can mute the tests for zulu 8. What other things do we need to do? @tvernum

Also the bug is fixed in the latest JDK 15 builds (b26). I tested and it worked locally. So these tests can be unmuted for JDK 15 since we are already using the latest JDK15 b33.

[ywangd]

The tests are now unmuted for jdk 15 by #60260

[polyfractal]

Just had a failure on Zulu8 / 7.9. Unsure if that is expected or not given the recent muting:

https://gradle-enterprise.elastic.co/s/waj7ctffrbpfa

[ywangd]

Just had a failure on Zulu8 / 7.9. Unsure if that is expected or not given the recent muting:

https://gradle-enterprise.elastic.co/s/waj7ctffrbpfa

Sorry you encountered it again. The mute for zulu8 has not been merged yet. Will action soon.

[ywangd]

Backports all done. Since the mute is for a specific jdk version, there is no need to unmute it. Future JDK versions will automatically get picked up. Hence I am closing this issue.

[droberts195]

This just failed in a build that was using Java 8u242.

The build was https://gradle-enterprise.elastic.co/s/y5n7s7aijsy6e

Looking in the console log it seems that the JDK was 8u242 rather than the 8u262 that the test is muted for:

> Task :extract-linux-x64-jdk-adoptopenjdk-8u242+b08

It looks like more JDK versions are affected.

[droberts195]

https://gradle-enterprise.elastic.co/s/t4epntiapfnfm is the same - also using 8u242

[dnhatn]

Just failed again on zulu8: https://gradle-enterprise.elastic.co/s/swcbiydrrw2ce

[ywangd]

Argh, zulu released 8u265 instead of 8u271 just a few days after I muted 8u262. This version has exactly the same problem as 8u262. The new failure were using this version as shown in the log:

Linux 4.15.0-1080-gcp amd64/Azul Systems, Inc. 1.8.0_265 (64-bit)/cpus=32,threads=1,free=405172336,total=514850816

I'll re-mute so that it skips all versions of [262, 271) to be sure. Sorry for the noise.

[ywangd]

I raised #60995 to mute it for any versions falls in between 8u[262, 271)