[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text

[Vinayakumar B (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15293229#comment-15293229
 ] 

Vinayakumar B commented on HADOOP-12754:
----------------------------------------

I am seeing {{shouldAuthenticateOverKrb()}} this check before going for  
re-login/printing exception message as shown in description.

{code}   private synchronized boolean shouldAuthenticateOverKrb() throws 
IOException {
      UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
      UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
      UserGroupInformation realUser = currentUser.getRealUser();
      if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
      // Make sure user logged in using Kerberos either keytab or TGT
          loginUser.hasKerberosCredentials() &&
          // relogin only in case it is the login user (e.g. JT)
          // or superuser (like oozie).
          (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
        return true;
      }
      return false;
    }{code}

{{shouldAuthenticateOverKrb()}} will return true if the {{currentUser()}} is 
same as loginUser or a proxy user on top of login user.

So I think the log message just says that sasl fails to connect real user to 
server. Isn't it looks correct?


> Client.handleSaslConnectionFailure() uses wrong user in exception text
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-12754
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12754
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc, security
>    Affects Versions: 2.7.2
>            Reporter: Steve Loughran
>         Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure 
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an 
> auth problem in a {{doAs()}} context, this exception is fundamentally 
> misleading



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org