[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15298380#comment-15298380
]
Steve Loughran commented on HADOOP-12754:
-
OK, I'm confused as i thought I'd been in the situation where it wasn't making
sense.
Are we confident that it really is always the case? Or could larry's point be
copied, both get printed?
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Priority: Minor
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15298353#comment-15298353
]
Daryn Sharp commented on HADOOP-12754:
--
The current message is accidentally accurate as currently implemented, and
patch doesn't change anything. {{handleSaslConnectionFailure}} is only called
when the real user is the login user. So the current user is the real user is
the login user.
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Priority: Minor
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15297669#comment-15297669
]
Vinayakumar B commented on HADOOP-12754:
{code} } else {
- String msg = "Couldn't setup connection for "
- + UserGroupInformation.getLoginUser().getUserName() + " to "
- + remoteId;
+ String msg =
+ "Couldn't setup connection for " + ugi + " to " + remoteId;
LOG.warn(msg, ex);
{code}
How about the above change. It will give full details.
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Priority: Minor
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293819#comment-15293819
]
Sean Busbey commented on HADOOP-12754:
--
+1, this would be a nice addition while we're here. Otherwise the change looks
good.
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Priority: Minor
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293387#comment-15293387
]
Kihwal Lee commented on HADOOP-12754:
-
[~daryn] is out today, but will be a good person to look at it as he has been
fixing bugs around this area. If you can wait, I will remind him on Monday.
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Priority: Minor
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293290#comment-15293290
]
Steve Loughran commented on HADOOP-12754:
-
seems reasonable; can avoid being differently false from today
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293250#comment-15293250
]
Larry McCay commented on HADOOP-12754:
--
Would it make sense to have the log entry indicate whether it is a doas context
by logging both loginUser and currentUser - or some evaluation of the two?
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293229#comment-15293229
]
Vinayakumar B commented on HADOOP-12754:
I am seeing {{shouldAuthenticateOverKrb()}} this check before going for
re-login/printing exception message as shown in description.
{code} private synchronized boolean shouldAuthenticateOverKrb() throws
IOException {
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
UserGroupInformation realUser = currentUser.getRealUser();
if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
// Make sure user logged in using Kerberos either keytab or TGT
loginUser.hasKerberosCredentials() &&
// relogin only in case it is the login user (e.g. JT)
// or superuser (like oozie).
(loginUser.equals(currentUser) || loginUser.equals(realUser))) {
return true;
}
return false;
}{code}
{{shouldAuthenticateOverKrb()}} will return true if the {{currentUser()}} is
same as loginUser or a proxy user on top of login user.
So I think the log message just says that sasl fails to connect real user to
server. Isn't it looks correct?
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
> Attachments: HADOOP-12754-001.patch
>
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[
https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15126880#comment-15126880
]
Steve Loughran commented on HADOOP-12754:
-
While I'm at it, why does that code try and relogin as the current user
*without checking to see if the caller is the current user?* Again, this is of
limited use as all it could do is encounter KDC connectivity problems and
needless delays.
HADOOP-6706 is the source of that code...I don't see any discussion of that
topic there
> Client.handleSaslConnectionFailure() uses wrong user in exception text
> --
>
> Key: HADOOP-12754
> URL: https://issues.apache.org/jira/browse/HADOOP-12754
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc, security
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>
> {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure
> messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an
> auth problem in a {{doAs()}} context, this exception is fundamentally
> misleading
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
