Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11291

Log the cause of SASL connection failures

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.0
    • Fix Version/s: 2.7.0
    • Component/s: security
    • Labels:
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      UGI#doAs will no longer log a PriviledgedActionException unless LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was decided that users calling UGI#doAs should be responsible for logging the error when catching an exception. Also, the log was confusing in certain situations (see more details in HADOOP-10015).

      However, as Daryn noted, this log message was very helpful in cases of debugging security issues.

      As an example, we would use to see this in the DN logs before HADOOP-10015:

      2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - NO PREAUTH)]
      2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
      2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:java.io.IOException: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
      

      After the fix went in, the DN was upgraded, and only logs:

      2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
      2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Problem connecting to server: hostB.com/101.01.010:8022
      

      It'd be good to add more logging information about the cause of a SASL connection failure.

      Thanks to Harsh J for reporting this.

        Attachments

        1. HADOOP-11291.2.patch
          0.9 kB
          Stephen Chu
        2. HADOOP-11291.1.patch
          0.9 kB
          Stephen Chu

          Activity

            People

            • Assignee:
              schu Stephen Chu
              Reporter:
              schu Stephen Chu
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: