Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: hdfs-issues@hadoop.apache.org
Date: Fri, 5 Oct 2012 06:53:47 +1100 (NCT)
From: "Aaron T. Myers (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <1674085567.1548.1349380427817.JavaMail.jiratomcat@arcas>
In-Reply-To: <1170216129.22153.1345165598117.JavaMail.jiratomcat@arcas>
Subject: [jira] [Commented] (HDFS-3813) Log error message if security and
 WebHDFS are enabled but principal/keytab are not configured
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HDFS-3813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13469634#comment-13469634 ] 

Aaron T. Myers commented on HDFS-3813:
--------------------------------------

Patch looks pretty good, Stephen. Two little comments:

# Instead of hard-coding the configuration keys in the message strings, please use the actual constants in DFSConfigKeys.
# Instead of simply "configuration not set" I would recommend saying "WebHDFS and security are enabled, but configuration property <X> is not set."
                
> Log error message if security and WebHDFS are enabled but principal/keytab are not configured
> ---------------------------------------------------------------------------------------------
>
>                 Key: HDFS-3813
>                 URL: https://issues.apache.org/jira/browse/HDFS-3813
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security, webhdfs
>    Affects Versions: 2.0.0-alpha
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>              Labels: newbie
>             Fix For: 3.0.0
>
>         Attachments: error_output, HDFS-3813.patch
>
>
> I configured a secure HDFS cluster, but failed to start the NameNode because I had enabled WebHDFS without specifying _dfs.web.authentication.kerberos.principal_ in hdfs-site.xml.
> In the NN logs, I saw:
> {noformat}
> 2012-05-28 17:50:13,021 INFO org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: Login using keytab /etc/hdfs.keytab, for principal HTTP/c1225.hal.cloudera.com@HAL.CLOUDERA.COM
> 2012-05-28 17:50:13,030 INFO org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: Initialized, principal [HTTP/c1225.hal.cloudera.com@HAL.CLOUDERA.COM] from keytab [/etc/hdfs.keytab]
> 2012-05-28 17:50:13,031 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter: 'signature.secret' configuration not set, using a random value as secret
> 2012-05-28 17:50:13,032 WARN org.mortbay.log: failed SPNEGO: javax.servlet.ServletException: javax.servlet.ServletException: Principal not defined in configuration
> 2012-05-28 17:50:13,033 WARN org.mortbay.log: Failed startup of context org.mortbay.jetty.webapp.WebAppContext@21453d72{/,file:/usr/lib/hadoop-hdfs/webapps/hdfs}
> javax.servlet.ServletException: javax.servlet.ServletException: Principal not defined in configuration
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:185)
> 	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:146)
> 	at org.mortbay.jetty.servlet.FilterHolder.doStart(FilterHolder.java:97)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.mortbay.jetty.servlet.ServletHandler.initialize(ServletHandler.java:713)
> 	at org.mortbay.jetty.servlet.Context.startContext(Context.java:140)
> 	at org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1282)
> 	at org.mortbay.jetty.handler.ContextHandler.doStart(ContextHandler.java:518)
> 	at org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:499)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.mortbay.jetty.handler.HandlerCollection.doStart(HandlerCollection.java:152)
> 	at org.mortbay.jetty.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:156)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130)
> 	at org.mortbay.jetty.Server.doStart(Server.java:224)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.apache.hadoop.http.HttpServer.start(HttpServer.java:617)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer.start(NameNodeHttpServer.java:173)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.startHttpServer(NameNode.java:529)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.startCommonServices(NameNode.java:471)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:434)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:590)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:571)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1134)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1193)
> Caused by: javax.servlet.ServletException: Principal not defined in configuration
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:146)
> 	... 24 more
> 2012-05-28 17:50:13,034 WARN org.mortbay.log: Nested in javax.servlet.ServletException: javax.servlet.ServletException: Principal not defined in configuration:
> javax.servlet.ServletException: Principal not defined in configuration
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:146)
> 	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:146)
> 	at org.mortbay.jetty.servlet.FilterHolder.doStart(FilterHolder.java:97)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.mortbay.jetty.servlet.ServletHandler.initialize(ServletHandler.java:713)
> 	at org.mortbay.jetty.servlet.Context.startContext(Context.java:140)
> 	at org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1282)
> 	at org.mortbay.jetty.handler.ContextHandler.doStart(ContextHandler.java:518)
> 	at org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:499)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.mortbay.jetty.handler.HandlerCollection.doStart(HandlerCollection.java:152)
> 	at org.mortbay.jetty.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:156)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130)
> 	at org.mortbay.jetty.Server.doStart(Server.java:224)
> 	at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
> 	at org.apache.hadoop.http.HttpServer.start(HttpServer.java:617)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer.start(NameNodeHttpServer.java:173)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.startHttpServer(NameNode.java:529)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.startCommonServices(NameNode.java:471)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:434)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:590)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:571)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1134)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1193)
> 2012-05-28 17:50:13,041 INFO org.mortbay.log: Started SelectChannelConnector@c1225.hal.cloudera.com:50070
> 2012-05-28 17:50:13,041 INFO org.apache.hadoop.hdfs.server.namenode.NameNode: Web-server up at: c1225.hal.cloudera.com:50070
> 2012-05-28 17:50:13,042 INFO org.apache.hadoop.ipc.Server: IPC Server Responder: starting
> 2012-05-28 17:50:13,042 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 17020: starting
> 2012-05-28 17:50:13,045 INFO org.apache.hadoop.hdfs.server.namenode.NameNode: NameNode up at: c1225.hal.cloudera.com/172.29.98.216:17020
> 2012-05-28 17:50:13,045 INFO org.apache.hadoop.hdfs.server.namenode.FSNamesystem: Starting services required for standby state
> 2012-05-28 17:50:13,048 INFO org.apache.hadoop.hdfs.server.namenode.ha.EditLogTailer: Will roll logs on active node at c1226.hal.cloudera.com/172.29.98.217:17020 every 120 seconds.
> 2012-05-28 17:50:13,058 INFO org.apache.hadoop.hdfs.server.namenode.ha.StandbyCheckpointer: Starting standby checkpoint thread...
> Checkpointing active NN at c1226.hal.cloudera.com:50070
> Serving checkpoints at c1225.hal.cloudera.com/172.29.98.216:50070
> {noformat}
> I couldn't figure out what I had misconfigured, but ATM found that I was missing _dfs.web.authentication.kerberos.principal_.
> Logging an error if this property is not configured when WebHDFS and security are enabled would be useful for future users running into the same problem.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira