Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12649

Improve Kerberos diagnostics and failure handling

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsAdd voteVotersWatch issueWatchersCreate sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.7.1
    • None
    • security
    • None

    • Kerberos

    Description

      Sometimes —apparently— some people cannot get kerberos to work.

      The ability to diagnose problems here is hampered by some aspects of UGI

      1. the only way to turn on JAAS debug information is through an env var, not within the JVM
      2. failures are potentially underlogged
      3. exceptions raised are generic IOEs, so can't be trapped and filtered
      4. failure handling on the TGT renewer thread is nonexistent
      5. the code is barely-readable, underdocumented mess.

      Attachments

        Issue Links

        depends upon

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-12751 While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple

        • Critical - Crashes, loss of data, severe memory leak.
        • Resolved

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-12906 AuthenticatedURL should convert a 404/Not Found into an FileNotFoundException.

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13056 Print expected values when rejecting a server's determined principal

        • Trivial - Cosmetic problem like misspelt words or misaligned text.
        • Resolved

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-10315 Log the original exception when getGroups() fail in UGI.

        • Major - Major loss of function.
        • Patch Available

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-10523 Hadoop services (such as RM, NN and JHS) throw confusing exception during token auto-cancelation

        • Major - Major loss of function.
        • Patch Available

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-14327 KerberosAuthenticationHandler#authenticate throws meaningless exception when server principals set is empty

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Patch Available

        New Feature - A new feature of the product, which has yet to be developed. HADOOP-12741 UserGroupInformation.loginUserFromKeytab() creates background thread which is not getting killed even after application exited

        • Major - Major loss of function.
        • Open

        New Feature - A new feature of the product, which has yet to be developed. HADOOP-12563 Updated utility to create/modify token files

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12510 Need improved WARN or ERROR when token based auth fails for kmsclient request

        • Major - Major loss of function.
        • Open

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-13604 Abort retry loop when RPC has an unrecoverable Auth error

        • Major - Major loss of function.
        • Open

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12664 UGI auto-renewer does not verify kinit availability during initialization

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Open

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-10776 Open up already widely-used APIs for delegation-token fetching & renewal to ecosystem projects

        • Blocker - Blocks development and/or testing work, production could not run
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HDFS-9732 Improve DelegationTokenIdentifier.toString() for better logging

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. YARN-4682 AMRM client to log when AMRM token updated

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. YARN-4721 RM to try to auth with HDFS on startup, retry with max diagnostics on failure

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-11404 Clarify the "expected client Kerberos principal is null" authorization message

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-15959 revert HADOOP-12751

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-8787 KerberosAuthenticationHandler should include missing property names in configuration

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Patch Available
        is depended upon by

        New Feature - A new feature of the product, which has yet to be developed. HADOOP-12426 Add Entry point for Kerberos health check

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved
        is related to

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-12770 KMSClientProvider addDelegationTokens won't add if the credentials contain an expired one

        • Major - Major loss of function.
        • Open

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-12650 Document all of the secret env vars

        • Blocker - Blocks development and/or testing work, production could not run
        • Resolved

        Bug - A problem which impairs or prevents the functions of the product. YARN-4629 Distributed shell breaks under strong security

        • Major - Major loss of function.
        • Resolved
        relates to

        Bug - A problem which impairs or prevents the functions of the product. SLIDER-993 Client fails to start ZK Registry client: Entry "Client" not found; JAAS config =

        • Major - Major loss of function.
        • Reopened

        New Feature - A new feature of the product, which has yet to be developed. SLIDER-1027 add a kdiag command for kerberos diagnostics

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-2344 Provide more diagnostics/stack traces on SASL Auth failure

        • Major - Major loss of function.
        • Open

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-13590 Retry until TGT expires even if the UGI renewal thread encountered exception

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. SLIDER-1035 Kdiag enhancements

        • Major - Major loss of function.
        • Resolved

        Task - A task that needs to be done. YARN-4653 Document YARN security model from the perspective of Application Developers

        • Major - Major loss of function.
        • Closed
        1.
        		 pull out logic to determine principal, allow kdiag to get at it directly Sub-task Open Unassigned Actions
        2.
        		 Improve diagnostics/use of envvar/sysprop credential propagation Sub-task Resolved Steve Loughran Actions
        3.
        		 Client.handleSaslConnectionFailure() uses wrong user in exception text Sub-task Resolved Unassigned Actions
        4.
        		 KDiag to look at HADOOP_TOKEN_FILE_LOCATION more Sub-task Open Unassigned Actions
        5.
        		 Credentials to include text of inner IOE when rethrowing wrapped Sub-task Open Unassigned Actions
        6.
        		 UGI to log@ debug stack traces when failing to find groups for a user Sub-task Resolved Unassigned Actions
        7.
        		 Make kdiag something services can use directly on startup Sub-task Patch Available Steve Loughran Actions
        8.
        		 kdiag to add a --DEFAULTREALM option Sub-task Open Unassigned Actions
        9.
        		 Drop the @LimitedPrivate maker off UGI, as its clearly untrue Sub-task Resolved Unassigned Actions
        10.
        		 kdiag to add a --url option to attempt a SPNEGO-authed GET Sub-task Open Unassigned Actions
        11.
        		 Have an explicit KerberosAuthException for UGI to throw, text from public constants Sub-task Resolved Xiao Chen Actions
        12.
        		 replace `Can't get Master Kerberos principal` message with useful information about principal and configuration item Sub-task Open Unassigned Actions
        13.
        		 client.handleSaslConnectionFailure needlessly wraps IOEs Sub-task Patch Available Yuanbo Liu Actions
        14.
        		 Gauges are getting logged in exceptions from AutoRenewalThreadForUserCreds Sub-task Resolved LiXin Ge Actions
        15.
        		 KDiag to add cli options for proxies and taking to HDFS for listing & DT retrieval Sub-task Open Unassigned Actions
        16.
        		 UGI.createLoginUser to log token filename & token identifiers on load Sub-task Open Unassigned Actions

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned Assign to me
            stevel@apache.org Steve Loughran
            Votes:
            1 Vote for this issue
            Watchers:
            27 Start watching this issue

            Dates

              Created:
              Updated:

              Slack

                Issue deployment