Hadoop Kerberos client fails on WildFly with “Parameter ‘callbackHandler’ may not be null” (Elytron SASL GSSAPI)

by

Summary

The Hadoop Kerberos client fails to connect to a Kerberos-secured HDFS cluster when running inside WildFly due to a SASL negotiation error. The error occurs because Hadoop’s SASL client does not provide a CallbackHandler, which is required by WildFly Elytron’s GSSAPI implementation.

Root Cause

The root cause of the issue is:

  • Hadoop’s SASL client not providing a CallbackHandler when calling Sasl.createSaslClient(...)
  • WildFly Elytron being selected as the global SASL provider by the JVM
  • Elytron’s GSSAPI implementation requiring a non-null CallbackHandler and throwing an exception when it is not provided

Why This Happens in Real Systems

This issue occurs in real systems because:

  • Hadoop and WildFly have different SASL client implementations
  • Elytron is not designed to work with Hadoop’s SASL client out of the box
  • The CallbackHandler requirement is not explicitly documented in Hadoop or WildFly documentation

Real-World Impact

The real-world impact of this issue is:

  • Hadoop clients cannot connect to Kerberos-secured HDFS clusters when running inside WildFly
  • Kerberos authentication fails, causing security and access control issues
  • System administrators and developers must spend time and resources to troubleshoot and resolve the issue

Example or Code

// Example of how to create a SaslClient with a CallbackHandler
SaslClient saslClient = Sasl.createSaslClient(new String[] {"GSSAPI"}, null, "hdfs", "hdfs.example.com", null, new MyCallbackHandler());

How Senior Engineers Fix It

Senior engineers fix this issue by:

  • Configuring Elytron to use a different SASL provider that is compatible with Hadoop’s SASL client
  • Implementing a custom CallbackHandler that provides the required credentials for Kerberos authentication
  • Disabling Elytron as the global SASL provider and using a different SASL provider for Hadoop clients

Why Juniors Miss It

Junior engineers may miss this issue because:

  • They may not be familiar with the SASL client implementations in Hadoop and WildFly
  • They may not understand the CallbackHandler requirement in Elytron’s GSSAPI implementation
  • They may not have experience with Kerberos authentication and SASL negotiation in Hadoop and WildFly environments

Leave a Comment