[jira] [Commented] (HADOOP-12510) Need improved WARN or ERROR when token based auth fails for kmsclient request

Mon, 02 Nov 2015 13:41:34 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14986104#comment-14986104
 ] 

Todd Grayson commented on HADOOP-12510:
---------------------------------------

Herein lies the rub; the kerberos authentication was the fallback from the 
token auth failing, the token auth failing was "invisible" from a scanning the 
logs perspective? 

The comment being, we should not be seeing kerberos auth at that moment, as its 
an indication of a complete failure of the token authentication... so I guess 
the ask is that token auth go out with a bang in the logs before things fail 
back to kerberos authentication which will always fail in that context. 

> Need improved WARN or ERROR when token based auth fails for kmsclient request
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-12510
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12510
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Todd Grayson
>
> When token based authentication fails, it would be helpful to have a WARN 
> event of the failure, as well as a WARN event that alternative forms of 
> authentication are being attempted.
> For example if token based authentication has failed; it appears that there 
> is a fallback to attempting kerberos authentication.   At that point the most 
> prominent logging is a kerberos GSS error, when the actual issue was a 
> failure at the token evaluation of a client access request to an HDFS 
> encrypted zone. 
> In the example below we are presented with a kerberos error, but the actual 
> error was a failure of token authorization in an unexpected way.
> {code}
> 15/08/27 07:35:35 INFO mapreduce.Job: Task Id : 
> attempt_1440594773177_0021_m_000009_0, Status : FAILED 
> org.apache.hadoop.security.authentication.client.AuthenticationException: 
> GSSException: No valid credentials provided (Mechanism level: Failed to find 
> any Kerberos tgt) 
> java.io.IOException: 
> org.apache.hadoop.security.authentication.client.AuthenticationException: 
> GSSException: No valid credentials provided (Mechanism level: Failed to find 
> any Kerberos tgt) 
> at 
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to