Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12510

Need improved WARN or ERROR when token based auth fails for kmsclient request

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      When token based authentication fails, it would be helpful to have a WARN event of the failure, as well as a WARN event that alternative forms of authentication are being attempted.

      For example if token based authentication has failed; it appears that there is a fallback to attempting kerberos authentication. At that point the most prominent logging is a kerberos GSS error, when the actual issue was a failure at the token evaluation of a client access request to an HDFS encrypted zone.

      In the example below we are presented with a kerberos error, but the actual error was a failure of token authorization in an unexpected way.

      15/08/27 07:35:35 INFO mapreduce.Job: Task Id : attempt_1440594773177_0021_m_000009_0, Status : FAILED 
      org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 
      java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 
      at 
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tgrayson Todd Grayson
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: