[
https://issues.apache.org/jira/browse/HADOOP-11736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15154997#comment-15154997
]
Arun Suresh commented on HADOOP-11736:
--------------------------------------
Don't remember the specifics (since its been a while since I filed it). But it
looks like it can be thrown by {{UGI#doAs()}}
In anycase, what happens is :
# On the client side, the {{DelegationTokenAuthenticator}} uses the
{{KerberosAuthenticator}} to start the SGNEGO authentication of the real user
(yarn).
# On the server side, this is intercepted by the {{DelegationTokenFilter}}
which uses the {{KerberosHandler}} to authenticate yarn, but control is then
passed back to the {{DelegationTokenFilter}} which also checks the proxy config
which fails authentication of the proxy user.
# Unfortunately this happens at the filter layer (before control is passed to
Jersey) so the {{KMSExceptionProvider}} is not invoked to log this exception.
# Back at the client side, the {{KerberosAuthenticator}} thinks authentication
has failed because it was a kerberos issue (which it is not), and throws away
the Exception and message, and control passed back to the
{{DelegationTokenAuthenticator}}, which tries the {{PseudoAuthenticator}} which
also fails.
# All this happens inside a {{UGI.doAs}} which only knows about a
PrivilegeActionException, but since another CheckedException was thrown, this
is sent back as an {{UndeclaredThrowableException}}
The fix I had posted essentially patches the DelegationTokenFilter to add an
extra header in the response when Authentication has failed due to a bad proxy
config. This header will then be intercepted by the KerberosAuthenticator which
throws it back as a proper IOException (with the correct error message)
> KMSClientProvider addDelegationToken does not notify callers when Auth
> failure is due to Proxy User (mis)configuration
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11736
> URL: https://issues.apache.org/jira/browse/HADOOP-11736
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Arun Suresh
> Assignee: Arun Suresh
> Priority: Minor
> Labels: BB2015-05-TBR
> Attachments: HADOOP-11736.1.patch
>
>
> When a long running process such as YARN RM tries to create/renew a KMS
> DelegationToken on behalf of proxy user and if the Proxy user rules are not
> correctly configured to allow yarn to proxy the required user, then the
> following is found in the RM logs :
> {noformat}
> Unable to add the application to the delegation token renewer.
> java.io.IOException: java.lang.reflect.UndeclaredThrowableException
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.addDelegationTokens(KMSClientProvider.java:887)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:132)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:129)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.addDelegationTokens(LoadBalancingKMSClientProvider.java:129)
> at
> org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.addDelegationTokens(KeyProviderDelegationTokenExtension.java:86)
> ......
> ......
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127)
> at
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127)
> at
> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:284)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:165)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:371)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:874)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:869)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
> ... 21 more
> {noformat}
> This gives no information to the user as to why the call has failed, and
> there is generally no way for an admin to know the the ProxyUser setting is
> the issue without going thru the code.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
