Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12649

Improve Kerberos diagnostics and failure handling

Add voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.7.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Environment:

      Kerberos

      Description

      Sometimes —apparently— some people cannot get kerberos to work.

      The ability to diagnose problems here is hampered by some aspects of UGI

      1. the only way to turn on JAAS debug information is through an env var, not within the JVM
      2. failures are potentially underlogged
      3. exceptions raised are generic IOEs, so can't be trapped and filtered
      4. failure handling on the TGT renewer thread is nonexistent
      5. the code is barely-readable, underdocumented mess.

        Attachments

        Issue Links

        1.
        pull out logic to determine principal, allow kdiag to get at it directly Sub-task Open Unassigned Actions
        2.
        Improve diagnostics/use of envvar/sysprop credential propagation Sub-task Resolved Steve Loughran Actions
        3.
        Client.handleSaslConnectionFailure() uses wrong user in exception text Sub-task Resolved Unassigned Actions
        4.
        KDiag to look at HADOOP_TOKEN_FILE_LOCATION more Sub-task Open Unassigned Actions
        5.
        Credentials to include text of inner IOE when rethrowing wrapped Sub-task Open Unassigned Actions
        6.
        UGI to log@ debug stack traces when failing to find groups for a user Sub-task Resolved Unassigned Actions
        7.
        Make kdiag something services can use directly on startup Sub-task Patch Available Steve Loughran Actions
        8.
        kdiag to add a --DEFAULTREALM option Sub-task Open Unassigned Actions
        9.
        Drop the @LimitedPrivate maker off UGI, as its clearly untrue Sub-task Resolved Unassigned Actions
        10.
        kdiag to add a --url option to attempt a SPNEGO-authed GET Sub-task Open Unassigned Actions
        11.
        Have an explicit KerberosAuthException for UGI to throw, text from public constants Sub-task Resolved Xiao Chen Actions
        12.
        replace `Can't get Master Kerberos principal` message with useful information about principal and configuration item Sub-task Open Unassigned Actions
        13.
        client.handleSaslConnectionFailure needlessly wraps IOEs Sub-task Patch Available Yuanbo Liu Actions
        14.
        Gauges are getting logged in exceptions from AutoRenewalThreadForUserCreds Sub-task Resolved LiXin Ge Actions
        15.
        KDiag to add cli options for proxies and taking to HDFS for listing & DT retrieval Sub-task Open Unassigned Actions
        16.
        UGI.createLoginUser to log token filename & token identifiers on load Sub-task Open Unassigned Actions

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              stevel@apache.org Steve Loughran

              Dates

              • Created:
                Updated:

                Issue deployment