Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.5.0
-
Reviewed
Description
UGI#doAs will no longer log a PriviledgedActionException unless LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was decided that users calling UGI#doAs should be responsible for logging the error when catching an exception. Also, the log was confusing in certain situations (see more details in HADOOP-10015).
However, as Daryn noted, this log message was very helpful in cases of debugging security issues.
As an example, we would use to see this in the DN logs before HADOOP-10015:
2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - NO PREAUTH)] 2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:java.io.IOException: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
After the fix went in, the DN was upgraded, and only logs:
2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Problem connecting to server: hostB.com/101.01.010:8022
It'd be good to add more logging information about the cause of a SASL connection failure.
Thanks to qwertymaniac for reporting this.