[
https://issues.apache.org/jira/browse/HADOOP-11736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15159895#comment-15159895
]
Chris Nauroth commented on HADOOP-11736:
----------------------------------------
[~asuresh], thank you for the explanation.
The problem as I understand it is that we would like in addition to the HTTP
403 Forbidden response, some kind of "sub-status" that provides more details
about why there was a 403 response. In this specific case, it's a proxy user
misconfiguration, but perhaps there could be other kinds of problems too. It
seems unusual to use a custom HTTP header for this. It seems more typical to
encode that kind of information into the HTTP response body. Do you think that
would be feasible?
I'd prefer that we also get one more code reviewer on this patch in addition to
me. I have always found the error handling around this code to be pretty
complex.
> KMSClientProvider addDelegationToken does not notify callers when Auth
> failure is due to Proxy User (mis)configuration
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11736
> URL: https://issues.apache.org/jira/browse/HADOOP-11736
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Arun Suresh
> Assignee: Arun Suresh
> Priority: Minor
> Labels: BB2015-05-TBR
> Attachments: HADOOP-11736.1.patch
>
>
> When a long running process such as YARN RM tries to create/renew a KMS
> DelegationToken on behalf of proxy user and if the Proxy user rules are not
> correctly configured to allow yarn to proxy the required user, then the
> following is found in the RM logs :
> {noformat}
> Unable to add the application to the delegation token renewer.
> java.io.IOException: java.lang.reflect.UndeclaredThrowableException
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.addDelegationTokens(KMSClientProvider.java:887)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:132)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:129)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94)
> at
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.addDelegationTokens(LoadBalancingKMSClientProvider.java:129)
> at
> org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.addDelegationTokens(KeyProviderDelegationTokenExtension.java:86)
> ......
> ......
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127)
> at
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127)
> at
> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:284)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:165)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:371)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:874)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:869)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
> ... 21 more
> {noformat}
> This gives no information to the user as to why the call has failed, and
> there is generally no way for an admin to know the the ProxyUser setting is
> the issue without going thru the code.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
