Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12649

Improve Kerberos diagnostics and failure handling

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.7.1
    • None
    • security
    • None

    • Kerberos

    Description

      Sometimes —apparently— some people cannot get kerberos to work.

      The ability to diagnose problems here is hampered by some aspects of UGI

      1. the only way to turn on JAAS debug information is through an env var, not within the JVM
      2. failures are potentially underlogged
      3. exceptions raised are generic IOEs, so can't be trapped and filtered
      4. failure handling on the TGT renewer thread is nonexistent
      5. the code is barely-readable, underdocumented mess.

      Attachments

        Issue Links

          depends upon

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-12751 While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-12906 AuthenticatedURL should convert a 404/Not Found into an FileNotFoundException.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-13056 Print expected values when rejecting a server's determined principal

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-10315 Log the original exception when getGroups() fail in UGI.

          • Major - Major loss of function.
          • Patch Available

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-10523 Hadoop services (such as RM, NN and JHS) throw confusing exception during token auto-cancelation

          • Major - Major loss of function.
          • Patch Available

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-14327 KerberosAuthenticationHandler#authenticate throws meaningless exception when server principals set is empty

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Patch Available

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-12741 UserGroupInformation.loginUserFromKeytab() creates background thread which is not getting killed even after application exited

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-12563 Updated utility to create/modify token files

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12510 Need improved WARN or ERROR when token based auth fails for kmsclient request

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-13604 Abort retry loop when RPC has an unrecoverable Auth error

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12664 UGI auto-renewer does not verify kinit availability during initialization

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-10776 Open up already widely-used APIs for delegation-token fetching & renewal to ecosystem projects

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDFS-9732 Improve DelegationTokenIdentifier.toString() for better logging

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. YARN-4682 AMRM client to log when AMRM token updated

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. YARN-4721 RM to try to auth with HDFS on startup, retry with max diagnostics on failure

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-11404 Clarify the "expected client Kerberos principal is null" authorization message

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-15959 revert HADOOP-12751

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-8787 KerberosAuthenticationHandler should include missing property names in configuration

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Patch Available
          is depended upon by

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-12426 Add Entry point for Kerberos health check

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-12770 KMSClientProvider addDelegationTokens won't add if the credentials contain an expired one

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-12650 Document all of the secret env vars

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. YARN-4629 Distributed shell breaks under strong security

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. SLIDER-993 Client fails to start ZK Registry client: Entry "Client" not found; JAAS config =

          • Major - Major loss of function.
          • Reopened

          New Feature - A new feature of the product, which has yet to be developed. SLIDER-1027 add a kdiag command for kerberos diagnostics

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-2344 Provide more diagnostics/stack traces on SASL Auth failure

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-13590 Retry until TGT expires even if the UGI renewal thread encountered exception

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. SLIDER-1035 Kdiag enhancements

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. YARN-4653 Document YARN security model from the perspective of Application Developers

          • Major - Major loss of function.
          • Closed
          1.
          		 pull out logic to determine principal, allow kdiag to get at it directly Sub-task Open Unassigned
          2.
          		 Improve diagnostics/use of envvar/sysprop credential propagation Sub-task Resolved Steve Loughran
          3.
          		 Client.handleSaslConnectionFailure() uses wrong user in exception text Sub-task Resolved Unassigned
          4.
          		 KDiag to look at HADOOP_TOKEN_FILE_LOCATION more Sub-task Open Unassigned
          5.
          		 Credentials to include text of inner IOE when rethrowing wrapped Sub-task Open Unassigned
          6.
          		 UGI to log@ debug stack traces when failing to find groups for a user Sub-task Resolved Unassigned
          7.
          		 Make kdiag something services can use directly on startup Sub-task Patch Available Steve Loughran
          8.
          		 kdiag to add a --DEFAULTREALM option Sub-task Open Unassigned
          9.
          		 Drop the @LimitedPrivate maker off UGI, as its clearly untrue Sub-task Resolved Unassigned
          10.
          		 kdiag to add a --url option to attempt a SPNEGO-authed GET Sub-task Open Unassigned
          11.
          		 Have an explicit KerberosAuthException for UGI to throw, text from public constants Sub-task Resolved Xiao Chen
          12.
          		 replace `Can't get Master Kerberos principal` message with useful information about principal and configuration item Sub-task Open Unassigned
          13.
          		 client.handleSaslConnectionFailure needlessly wraps IOEs Sub-task Patch Available Yuanbo Liu
          14.
          		 Gauges are getting logged in exceptions from AutoRenewalThreadForUserCreds Sub-task Resolved LiXin Ge
          15.
          		 KDiag to add cli options for proxies and taking to HDFS for listing & DT retrieval Sub-task Open Unassigned
          16.
          		 UGI.createLoginUser to log token filename & token identifiers on load Sub-task Open Unassigned

          Activity

            People

              Unassigned Unassigned
              stevel@apache.org Steve Loughran
              Votes:
              1 Vote for this issue
              Watchers:
              27 Start watching this issue

              Dates

                Created:
                Updated: