hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-11291) Log the cause of SASL connection failures
Date Thu, 13 Nov 2014 05:59:34 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-11291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chris Nauroth updated HADOOP-11291:
-----------------------------------
       Resolution: Fixed
    Fix Version/s: 2.7.0
           Status: Resolved  (was: Patch Available)

I committed this to trunk and branch-2.  Stephen, thank you for contributing the patch.

> Log the cause of SASL connection failures
> -----------------------------------------
>
>                 Key: HADOOP-11291
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11291
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>            Priority: Minor
>              Labels: supportability
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-11291.1.patch, HADOOP-11291.2.patch
>
>
> {{UGI#doAs}} will no longer log a PriviledgedActionException unless LOG.isDebugEnabled()
== true. HADOOP-10015 made this change because it was decided that users calling {{UGI#doAs}}
should be responsible for logging the error when catching an exception. Also, the log was
confusing in certain situations (see more details in HADOOP-10015).
> However, as Daryn noted, this log message was very helpful in cases of debugging security
issues.
> As an example, we would use to see this in the DN logs before HADOOP-10015:
> {code}
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException
as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate
failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error
(description in e-text) (60) - NO PREAUTH)]
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection
for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException
as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:java.io.IOException: Couldn't setup connection
for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> {code}
> After the fix went in, the DN was upgraded, and only logs:
> {code}
> 2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection
for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> 2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Problem
connecting to server: hostB.com/101.01.010:8022
> {code}
> It'd be good to add more logging information about the cause of a SASL connection failure.
> Thanks to [~qwertymaniac] for reporting this.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message