hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11291) Log the cause of SASL connection failures
Date Thu, 13 Nov 2014 11:52:45 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14209646#comment-14209646
] 

Hudson commented on HADOOP-11291:
---------------------------------

SUCCESS: Integrated in Hadoop-Yarn-trunk #742 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/742/])
HADOOP-11291. Log the cause of SASL connection failures. Contributed by Stephen Chu. (cnauroth:
rev 7dae5b5a880205fd0125c143c44498db79c19392)
* hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
* hadoop-common-project/hadoop-common/CHANGES.txt


> Log the cause of SASL connection failures
> -----------------------------------------
>
>                 Key: HADOOP-11291
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11291
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>            Priority: Minor
>              Labels: supportability
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-11291.1.patch, HADOOP-11291.2.patch
>
>
> {{UGI#doAs}} will no longer log a PriviledgedActionException unless LOG.isDebugEnabled()
== true. HADOOP-10015 made this change because it was decided that users calling {{UGI#doAs}}
should be responsible for logging the error when catching an exception. Also, the log was
confusing in certain situations (see more details in HADOOP-10015).
> However, as Daryn noted, this log message was very helpful in cases of debugging security
issues.
> As an example, we would use to see this in the DN logs before HADOOP-10015:
> {code}
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException
as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate
failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error
(description in e-text) (60) - NO PREAUTH)]
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection
for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException
as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:java.io.IOException: Couldn't setup connection
for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> {code}
> After the fix went in, the DN was upgraded, and only logs:
> {code}
> 2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection
for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> 2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Problem
connecting to server: hostB.com/101.01.010:8022
> {code}
> It'd be good to add more logging information about the cause of a SASL connection failure.
> Thanks to [~qwertymaniac] for reporting this.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message