[ 
https://issues.apache.org/jira/browse/HADOOP-14708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118414#comment-16118414
 ] 

Lantao Jin commented on HADOOP-14708:
-------------------------------------

Hi [~jojochuang], [^FSCK-2.log] is the new log I added some debug code. I use 
user lajin to do FSCK from 192.168.1.22. The namenode which started with user 
hadoop with kerberos is handling this in 192.168.1.1. From the debug log. The 
ugi from DFSClient (in NN) has no tokens in it and its {{AuthenticationMethod}} 
is KERBEROS_SSL. I don't know why but seems the patch I submitted can work 
around.

> FsckServlet can not create SaslRpcClient with auth KERBEROS_SSL
> ---------------------------------------------------------------
>
>                 Key: HADOOP-14708
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14708
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.3, 2.8.1, 3.0.0-alpha3
>            Reporter: Lantao Jin
>         Attachments: FSCK-2.log, FSCK.log, HADOOP-14708.001.patch
>
>
> FSCK started by xx (auth:KERBEROS_SSL) failed with exception msg "fsck 
> encountered internal errors!"
> FSCK use FSCKServlet to submit RPC to NameNode, it use {{KERBEROS_SSL}} as 
> its {{AuthenticationMethod}} in {{JspHelper.java}}
> {code}
>   /** Same as getUGI(context, request, conf, KERBEROS_SSL, true). */
>   public static UserGroupInformation getUGI(ServletContext context,
>       HttpServletRequest request, Configuration conf) throws IOException {
>     return getUGI(context, request, conf, AuthenticationMethod.KERBEROS_SSL, 
> true);
>   }
> {code}
> But when setup SaslConnection with server, KERBEROS_SSL will failed to create 
> SaslClient instance. See {{SaslRpcClient.java}}
> {code}
> private SaslClient createSaslClient(SaslAuth authType)
>       throws SaslException, IOException {
>       ....
>       case KERBEROS: {
>         if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
>             AuthMethod.KERBEROS) {
>           return null; // client isn't using kerberos
>         }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to