You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "takeshi.miao (JIRA)" <ji...@apache.org> on 2013/06/05 10:38:19 UTC

[jira] [Created] (HDFS-4881) fine tune "Access token verification failed" error msg in datanode log

takeshi.miao created HDFS-4881:
----------------------------------

             Summary: fine tune "Access token verification failed" error msg in datanode log
                 Key: HDFS-4881
                 URL: https://issues.apache.org/jira/browse/HDFS-4881
             Project: Hadoop HDFS
          Issue Type: Improvement
          Components: datanode
    Affects Versions: 1.0.0
         Environment: CentOS-5.3, java-version-1.6.0_26
            Reporter: takeshi.miao
            Priority: Trivial


I'd like to issue this ticket is due to we suffered a datanode access token verification failure issue recently. The client is HBase who is accessing the local datanode via DFSClient. The details log snippets as follows...
*regionserver log*
{code}
...
[2013-05-24 08:33:37,553][regionserver8120-compactions-1369288874174][INFO ][org.apache.hadoop.hbase.regionserver.Store]: Started compaction of 1 file(s) in cf=ho, hasReferences=true, into hdfs://sjdc-s-hdd-001.sjdc.ispn.trendmicro.com:8020/user/SPN-hbase/spn.guidcensus.ho/f99c6fb26f488034bf0e6ddd7a647ba4/.tmp, seqid=3, totalSize=4.2g
[2013-05-24 08:33:37,554][regionserver8120-compactions-1369288874174][INFO ][org.apache.hadoop.hdfs.DFSClient]: Access token was invalid when connecting to /10.31.6.49:1004 : org.apache.hadoop.hdfs.security.token.block.InvalidBlockTokenException: Got access token error for OP_READ_BLOCK, self=/10.31.6.49:36530, remote=/10.31.6.49:1004, for file /user/SPN-hbase/spn.guidcensus.ho/a565dd142933e3abf9bec33d59210d1b/ho/c5b37b9dd8801275c8fb160c0fb32ce5c48b56f4, for block 4549293737579979499_205814042
...
{code}

*datanode log*
{code}
...
[2013-05-24 08:33:37,554][DataXceiver for client /10.31.6.49:36530 [Waiting for operation #1]][ERROR][org.apache.hadoop.hdfs.server.datanode.DataNode]: DatanodeRegistration(10.31.6.49:1004, storageID=DS-1953102179-10.31.6.49-1004-       1342490559943, infoPort=1006, ipcPort=50020):DataXceiver
java.io.IOException: Access token verification failed, for client /10.31.6.49:36530 for OP_READ_BLOCK for block blk_4549293737579979499_205814042
        at org.apache.hadoop.hdfs.server.datanode.DataXceiver.readBlock(DataXceiver.java:252)
        at org.apache.hadoop.hdfs.server.datanode.DataXceiver.run(DataXceiver.java:175)
...
{code}

After trace o.a.h.hdfs.security.token.block.BlockTokenSecretManager.java, I found that there are more further details error description written in code.
*o.a.h.hdfs.security.token.block.BlockTokenSecretManager.java*
{code}
public void checkAccess(BlockTokenIdentifier id, String userId, Block block,
      AccessMode mode) throws InvalidToken {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Checking access for user=" + userId + ", block=" + block
          + ", access mode=" + mode + " using " + id.toString());
    }
    if (userId != null && !userId.equals(id.getUserId())) {
      throw new InvalidToken("Block token with " + id.toString()
          + " doesn't belong to user " + userId);
    }
    if (id.getBlockId() != block.getBlockId()) {
      throw new InvalidToken("Block token with " + id.toString()
          + " doesn't apply to block " + block);
    }
    if (isExpired(id.getExpiryDate())) {
      throw new InvalidToken("Block token with " + id.toString()
          + " is expired.");
    }
    if (!id.getAccessModes().contains(mode)) {
      throw new InvalidToken("Block token with " + id.toString()
          + " doesn't have " + mode + " permission");
    }
  }
{code}

But actually, this InvalidTokenException will not be handled further (but caught), so I can not trace what kind of this access block token verification is...
*o.a.h.hdfs.server.datanode.DataXceiver.java*
{code}
...
if (datanode.isBlockTokenEnabled) {
      try {
        datanode.blockTokenSecretManager.checkAccess(accessToken, null, block,
            BlockTokenSecretManager.AccessMode.READ);
      } catch (InvalidToken e) {
        // the e object not handled further...
        try {
          out.writeShort(DataTransferProtocol.OP_STATUS_ERROR_ACCESS_TOKEN);
          out.flush();
          throw new IOException("Access token verification failed, for client "
              + remoteAddress + " for OP_READ_BLOCK for block " + block); 
        } finally {
          IOUtils.closeStream(out);
        }   
      }   
    }
...
{code}


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira