You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2014/11/10 22:01:36 UTC
[jira] [Commented] (HADOOP-11291) Log the cause of SASL connection
failures
[ https://issues.apache.org/jira/browse/HADOOP-11291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14205333#comment-14205333 ]
Hadoop QA commented on HADOOP-11291:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12680641/HADOOP-11291.1.patch
against trunk revision eace218.
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in hadoop-common-project/hadoop-common:
org.apache.hadoop.ha.TestZKFailoverControllerStress
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5058//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5058//console
This message is automatically generated.
> Log the cause of SASL connection failures
> -----------------------------------------
>
> Key: HADOOP-11291
> URL: https://issues.apache.org/jira/browse/HADOOP-11291
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.5.0
> Reporter: Stephen Chu
> Assignee: Stephen Chu
> Priority: Minor
> Labels: supportability
> Attachments: HADOOP-11291.1.patch
>
>
> {{UGI#doAs}} will no longer log a PriviledgedActionException unless LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was decided that users calling {{UGI#doAs}} should be responsible for logging the error when catching an exception. Also, the log was confusing in certain situations (see more details in HADOOP-10015).
> However, as Daryn noted, this log message was very helpful in cases of debugging security issues.
> As an example, we would use to see this in the DN logs before HADOOP-10015:
> {code}
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - NO PREAUTH)]
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:java.io.IOException: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> {code}
> After the fix went in, the DN was upgraded, and only logs:
> {code}
> 2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
> 2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Problem connecting to server: hostB.com/101.01.010:8022
> {code}
> It'd be good to add more logging information about the cause of a SASL connection failure.
> Thanks to [~qwertymaniac] for reporting this.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)