[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15298380#comment-15298380 ] Steve Loughran commented on HADOOP-12754: - OK, I'm confused as i thought I'd been in the situation where it wasn't making sense. Are we confident that it really is always the case? Or could larry's point be copied, both get printed? > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Priority: Minor > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15298353#comment-15298353 ] Daryn Sharp commented on HADOOP-12754: -- The current message is accidentally accurate as currently implemented, and patch doesn't change anything. {{handleSaslConnectionFailure}} is only called when the real user is the login user. So the current user is the real user is the login user. > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Priority: Minor > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15297669#comment-15297669 ] Vinayakumar B commented on HADOOP-12754: {code} } else { - String msg = "Couldn't setup connection for " - + UserGroupInformation.getLoginUser().getUserName() + " to " - + remoteId; + String msg = + "Couldn't setup connection for " + ugi + " to " + remoteId; LOG.warn(msg, ex); {code} How about the above change. It will give full details. > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Priority: Minor > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293819#comment-15293819 ] Sean Busbey commented on HADOOP-12754: -- +1, this would be a nice addition while we're here. Otherwise the change looks good. > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Priority: Minor > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293387#comment-15293387 ] Kihwal Lee commented on HADOOP-12754: - [~daryn] is out today, but will be a good person to look at it as he has been fixing bugs around this area. If you can wait, I will remind him on Monday. > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Priority: Minor > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293290#comment-15293290 ] Steve Loughran commented on HADOOP-12754: - seems reasonable; can avoid being differently false from today > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293250#comment-15293250 ] Larry McCay commented on HADOOP-12754: -- Would it make sense to have the log entry indicate whether it is a doas context by logging both loginUser and currentUser - or some evaluation of the two? > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15293229#comment-15293229 ] Vinayakumar B commented on HADOOP-12754: I am seeing {{shouldAuthenticateOverKrb()}} this check before going for re-login/printing exception message as shown in description. {code} private synchronized boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); if (authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser))) { return true; } return false; }{code} {{shouldAuthenticateOverKrb()}} will return true if the {{currentUser()}} is same as loginUser or a proxy user on top of login user. So I think the log message just says that sasl fails to connect real user to server. Isn't it looks correct? > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran > Attachments: HADOOP-12754-001.patch > > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-12754) Client.handleSaslConnectionFailure() uses wrong user in exception text
[ https://issues.apache.org/jira/browse/HADOOP-12754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15126880#comment-15126880 ] Steve Loughran commented on HADOOP-12754: - While I'm at it, why does that code try and relogin as the current user *without checking to see if the caller is the current user?* Again, this is of limited use as all it could do is encounter KDC connectivity problems and needless delays. HADOOP-6706 is the source of that code...I don't see any discussion of that topic there > Client.handleSaslConnectionFailure() uses wrong user in exception text > -- > > Key: HADOOP-12754 > URL: https://issues.apache.org/jira/browse/HADOOP-12754 > Project: Hadoop Common > Issue Type: Sub-task > Components: ipc, security >Affects Versions: 2.7.2 >Reporter: Steve Loughran > > {{Client.handleSaslConnectionFailure()}} includes the user in SASL failure > messages, but it calls {{UGI.getLoginUser()}} for its text. If there's an > auth problem in a {{doAs()}} context, this exception is fundamentally > misleading -- This message was sent by Atlassian JIRA (v6.3.4#6332)