[jira] [Commented] (HADOOP-14987) Improve KMSClientProvider log around delegation token checking

Fri, 27 Oct 2017 09:54:11 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-14987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222660#comment-16222660
 ] 

Xiao Chen commented on HADOOP-14987:
------------------------------------

Thanks for the improvement Xiaoyu.

{{DelegationTokenAuthenticatedURL}} has some debug logs which might help a 
little bit, but agree logging in KMSCP is more direct. :) LGTM overall, some 
comments:
- {code:title=KMSCP#getActualUgi}
    if (LOG.isDebugEnabled()) {
      UserGroupInformation.logAllUserInfo(LOG, currentUgi);
    }
{code}
We can skip the {{isDebugEnabled}} check here.

- We cannot make the change in UGI, since it's Public-Evolving. We can add the 
new methods though, and consider annotate at method level as Private-Unstable 
to save maintenance burden, according to 
http://hadoop.apache.org/docs/r3.0.0-beta1/hadoop-project-dist/hadoop-common/Compatibility.html.
 The old logging method can be marked deprecated at this time.

- {{UGI#logUserInfo}} could use a {{isDebugEnabled}} check so we don't loop 
through the tokens unnecessarily. Should also make sure {{log}} is used as the 
logger in those methods.

It'd be helpful to provide an example debug log for demonstration purpose.

> Improve KMSClientProvider log around delegation token checking
> --------------------------------------------------------------
>
>                 Key: HADOOP-14987
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14987
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.3
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>         Attachments: HADOOP-14987.001.patch
>
>
> KMSClientProvider#containsKmsDt uses SecurityUtil.buildTokenService(addr) to 
> build the key to look for KMS-DT from the UGI's token map. The token lookup 
> key here varies depending  on the KMSClientProvider's configuration value for 
> hadoop.security.token.service.use_ip. In certain cases, the token obtained 
> with non-matching hadoop.security.token.service.use_ip setting will not be 
> recognized by KMSClientProvider. This ticket is opened to improve logs for 
> troubleshooting KMS delegation token related issues like this.  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to