Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
When token based authentication fails, it would be helpful to have a WARN event of the failure, as well as a WARN event that alternative forms of authentication are being attempted.
For example if token based authentication has failed; it appears that there is a fallback to attempting kerberos authentication. At that point the most prominent logging is a kerberos GSS error, when the actual issue was a failure at the token evaluation of a client access request to an HDFS encrypted zone.
In the example below we are presented with a kerberos error, but the actual error was a failure of token authorization in an unexpected way.
15/08/27 07:35:35 INFO mapreduce.Job: Task Id : attempt_1440594773177_0021_m_000009_0, Status : FAILED org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at
Attachments
Issue Links
- is depended upon by
-
HADOOP-12649 Improve Kerberos diagnostics and failure handling
- Open