[jira] [Commented] (HADOOP-14987) Improve KMSClientProvider log around delegation token checking

[Xiaoyu Yao (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-14987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234513#comment-16234513
 ] 

Xiaoyu Yao commented on HADOOP-14987:
-------------------------------------

bq. logAllUserInfo(UserGroupInformation ugi) could use an annotation too
Will this make the change incompatible? That's my major concern of not changing 
it.

bq. sorry I wasn't clear. I was thinking of just setting fallbackDefaultPort on 
KMSCP directly in the unit tests so we don't need configs. My point is, if this 
is purely for testing, let's make it as obviously as possible.

Inside KMSClientProvdier constructor, I don't find easy way to tweak the 
kmsPort setting to accommodate the two test cases in 
TestLoadBalancingKMSClientProvider(testCreation and testClassCastException).
1. mockito does not work with URL, which is a final class from JDK
2. We could add this as additional parameter  (fallbackDefaultPort) to the 
constructor or some static variable in the Factory class. But this would cause 
more code churns without bringing much useful functionality. The test code does 
not always use the Factory class to create the KMSClientProvider, which 
requires special handling in both the constructor and the Factory.

Please elaborate on how to set fallbackDefaultPort on KMSCP directly for the 
test.

> Improve KMSClientProvider log around delegation token checking
> --------------------------------------------------------------
>
>                 Key: HADOOP-14987
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14987
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.3
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>            Priority: Major
>         Attachments: HADOOP-14987.001.patch, HADOOP-14987.002.patch, 
> HADOOP-14987.003.patch, HADOOP-14987.004.patch
>
>
> KMSClientProvider#containsKmsDt uses SecurityUtil.buildTokenService(addr) to 
> build the key to look for KMS-DT from the UGI's token map. The token lookup 
> key here varies depending  on the KMSClientProvider's configuration value for 
> hadoop.security.token.service.use_ip. In certain cases, the token obtained 
> with non-matching hadoop.security.token.service.use_ip setting will not be 
> recognized by KMSClientProvider. This ticket is opened to improve logs for 
> troubleshooting KMS delegation token related issues like this.  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org