[
https://issues.apache.org/jira/browse/HADOOP-11291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14209368#comment-14209368
]
Stephen Chu commented on HADOOP-11291:
--------------------------------------
Thank you, Chris!
> Log the cause of SASL connection failures
> -----------------------------------------
>
> Key: HADOOP-11291
> URL: https://issues.apache.org/jira/browse/HADOOP-11291
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.5.0
> Reporter: Stephen Chu
> Assignee: Stephen Chu
> Priority: Minor
> Labels: supportability
> Fix For: 2.7.0
>
> Attachments: HADOOP-11291.1.patch, HADOOP-11291.2.patch
>
>
> {{UGI#doAs}} will no longer log a PriviledgedActionException unless
> LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was
> decided that users calling {{UGI#doAs}} should be responsible for logging the
> error when catching an exception. Also, the log was confusing in certain
> situations (see more details in HADOOP-10015).
> However, as Daryn noted, this log message was very helpful in cases of
> debugging security issues.
> As an example, we would use to see this in the DN logs before HADOOP-10015:
> {code}
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation:
> PriviledgedActionException as:hdfs/[email protected] (auth:KERBEROS)
> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Generic error
> (description in e-text) (60) - NO PREAUTH)]
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup
> connection for hdfs/[email protected] to hostB.com/101.01.010:8022
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation:
> PriviledgedActionException as:hdfs/[email protected] (auth:KERBEROS)
> cause:java.io.IOException: Couldn't setup connection for
> hdfs/[email protected] to hostB.com/101.01.010:8022
> {code}
> After the fix went in, the DN was upgraded, and only logs:
> {code}
> 2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup
> connection for hdfs/[email protected] to hostB.com/101.01.010:8022
> 2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode:
> Problem connecting to server: hostB.com/101.01.010:8022
> {code}
> It'd be good to add more logging information about the cause of a SASL
> connection failure.
> Thanks to [~qwertymaniac] for reporting this.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
