[
https://issues.apache.org/jira/browse/HADOOP-14987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222958#comment-16222958
]
Xiaoyu Yao commented on HADOOP-14987:
-------------------------------------
Thanks [~xiaochen] for the review. I attached patch v2 that addressed all the
comments and fix the unit test failure from Jenkins. Below is a sample output
of the debug log output.
Sample 1: Kerberos Only (no token)
{code}
2017-10-27 14:37:59,738 [Thread-16] INFO kms.KMSClientProvider
(KMSClientProvider.java:<init>(396)) - KMSClientProvider for KMS url:
http://localhost:53096/kms/v1/ delegation token service: 127.0.0.1:53096
created.
2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2002)) - Current UGI: oozie_user
(auth:PROXY) via oozie/[email protected] (auth:KERBEROS)
2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2002)) - Real UGI:
oozie/[email protected] (auth:KERBEROS)
2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2002)) - Login UGI:
hdfs/[email protected] (auth:KERBEROS)
{code}
Sample 2: Proxy user with token
{code}
2017-10-27 15:18:41,306 [Thread-16] INFO hdfs.DFSClient
(DFSClient.java:getDelegationToken(685)) - Created token for hdfs:
HDFS_DELEGATION_TOKEN owner=hdfs/[email protected], renewer=oozie,
realUser=, issueDate=1509142721306, maxDate=1509747521306, sequenceNumber=3,
masterKeyId=2 on 127.0.0.1:54702
2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2002)) - Current UGI: oozie_user
(auth:PROXY) via oozie/[email protected] (auth:KERBEROS)
2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2004)) - +token:Kind: kms-dt, Service:
127.0.0.1:54698, Ident: (kms-dt owner=oozie_user, renewer=oozie,
realUser=oozie, issueDate=1509142721275, maxDate=1509747521275,
sequenceNumber=2, masterKeyId=2)
2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2004)) - +token:Kind:
HDFS_DELEGATION_TOKEN, Service: 127.0.0.1:54702, Ident: (token for hdfs:
HDFS_DELEGATION_TOKEN owner=hdfs/[email protected], renewer=oozie,
realUser=, issueDate=1509142721256, maxDate=1509747521256, sequenceNumber=2,
masterKeyId=2)
2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2002)) - Real UGI:
oozie/[email protected] (auth:KERBEROS)
2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider
(UserGroupInformation.java:logUserInfo(2002)) - Login UGI:
hdfs/[email protected] (auth:KERBEROS)
2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider
(KMSClientProvider.java:run(1020)) - Getting new token from
http://localhost:54698/kms/v1/, renewer:oozie
{code}
> Improve KMSClientProvider log around delegation token checking
> --------------------------------------------------------------
>
> Key: HADOOP-14987
> URL: https://issues.apache.org/jira/browse/HADOOP-14987
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 2.7.3
> Reporter: Xiaoyu Yao
> Assignee: Xiaoyu Yao
> Attachments: HADOOP-14987.001.patch, HADOOP-14987.002.patch
>
>
> KMSClientProvider#containsKmsDt uses SecurityUtil.buildTokenService(addr) to
> build the key to look for KMS-DT from the UGI's token map. The token lookup
> key here varies depending on the KMSClientProvider's configuration value for
> hadoop.security.token.service.use_ip. In certain cases, the token obtained
> with non-matching hadoop.security.token.service.use_ip setting will not be
> recognized by KMSClientProvider. This ticket is opened to improve logs for
> troubleshooting KMS delegation token related issues like this.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
