Todd Lipcon created HDFS-3915:
---------------------------------
Summary: QJM: Failover fails with auth error in secure cluster
Key: HDFS-3915
URL: https://issues.apache.org/jira/browse/HDFS-3915
Project: Hadoop HDFS
Issue Type: Sub-task
Components: ha, security
Affects Versions: QuorumJournalManager (HDFS-3077)
Reporter: Todd Lipcon
Assignee: Todd Lipcon
Attachments: hdfs-3915.txt
When testing failover in a secure cluster with QJM, we ran into the following
error:
{code}
java.io.IOException: Exception trying to open authenticated connection to
http://xxxxx:8480/getJournal?jid=journal&segmentTxId=4325&storageInfo=-40%3A1049822920%3A0%3ACID-d7c84ac3-bb09-4d55-baae-0d561bb55e9b
at
org.apache.hadoop.security.SecurityUtil.openSecureHttpConnection(SecurityUtil.java:510)
at
org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream$URLLog$1.run(EditLogFileInputStream.java:376)
... at
org.apache.hadoop.hdfs.server.namenode.ha.EditLogTailer.doTailEdits(EditLogTailer.java:217)
at
org.apache.hadoop.hdfs.server.namenode.ha.EditLogTailer.catchupDuringFailover(EditLogTailer.java:176)
at
org.apache.hadoop.hdfs.server.namenode.FSNamesystem.startActiveServices(FSNamesystem.java:635)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)
{code}
The issue is that the EditLogFileInputStream uses the "current" user, which in
the case of the failover trigger is the admin's remote user, rather than the
NN's login user.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
