Todd Grayson created MAPREDUCE-6522:
---------------------------------------
Summary: Need improved WARN or ERROR when token based auth fails
for kmsclient request
Key: MAPREDUCE-6522
URL: https://issues.apache.org/jira/browse/MAPREDUCE-6522
Project: Hadoop Map/Reduce
Issue Type: Improvement
Components: client, security
Reporter: Todd Grayson
When token based authentication fails, it would be helpful to have a WARN event
of the failure, as well as a WARN event that alternative forms of
authentication are being attempted.
For example if token based authentication has failed; it appears that there is
a fallback to attempting kerberos authentication. At that point the most
prominent logging is a kerberos GSS error, when the actual issue was a failure
at the token evaluation of a client access request to an HDFS encrypted zone.
In the example below we are presented with a kerberos error, but the actual
error was a failure of token authorization in an unexpected way.
{code}
15/08/27 07:35:35 INFO mapreduce.Job: Task Id :
attempt_1440594773177_0021_m_000009_0, Status : FAILED
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
java.io.IOException:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
