[jira] [Commented] (HADOOP-12649) Improve UGI diagnostics and failure handling

["Steve Loughran (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HADOOP-12649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15059963#comment-15059963 ] 

Steve Loughran commented on HADOOP-12649:
-----------------------------------------

If you can't renew a ticket as you were kinited-in and it's expired, the renewer thread exits with nothing but a warning. It doesn't even print the stack trace of the nested exception.

{code}
2015-12-16 12:57:44,005 [TGT Renewer for stevel@COTHAM] WARN  security.UserGroupInformation (run(914)) - Exception encountered while running the renewal command. Aborting renew thread. ExitCodeException exitCode=1: kinit: krb5_get_kdc_cred: Error from KDC: TKT_EXPIRED
{code}

A near-silent failure is not always what you want. There is nothing to prevent a renewal-failure action to be provided to this thread, allowing an application-level action to be performed (maybe even retry)


> Improve UGI diagnostics and failure handling
> --------------------------------------------
>
>                 Key: HADOOP-12649
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12649
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.7.1
>         Environment: Kerberos
>            Reporter: Steve Loughran
>
> Sometimes —apparently— some people cannot get kerberos to work.
> The ability to diagnose problems here is hampered by some aspects of UGI
> # the only way to turn on JAAS debug information is through an env var, not within the JVM
> # failures are potentially underlogged
> # exceptions raised are generic IOEs, so can't be trapped and filtered
> # failure handling on the TGT renewer thread is nonexistent
> # the code is barely-readable, underdocumented mess.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)