[jira] [Commented] (HADOOP-14987) Improve KMSClientProvider log around delegation token checking

Xiaoyu Yao (JIRA) Fri, 27 Oct 2017 15:22:49 -0700

    [ 
https://issues.apache.org/jira/browse/HADOOP-14987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222958#comment-16222958
 ]


Xiaoyu Yao commented on HADOOP-14987:
-------------------------------------

Thanks [~xiaochen] for the review. I attached patch v2 that addressed all the 
comments and fix the unit test failure from Jenkins. Below is a sample output 
of the debug log output. 

Sample 1: Kerberos Only (no token)
{code}
2017-10-27 14:37:59,738 [Thread-16] INFO  kms.KMSClientProvider 
(KMSClientProvider.java:<init>(396)) - KMSClientProvider for KMS url: 
http://localhost:53096/kms/v1/ delegation token service: 127.0.0.1:53096 
created.
2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2002)) - Current UGI: oozie_user 
(auth:PROXY) via oozie/localh...@example.com (auth:KERBEROS)
2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2002)) - Real UGI: 
oozie/localh...@example.com (auth:KERBEROS)
2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2002)) - Login UGI: 
hdfs/localh...@example.com (auth:KERBEROS)
{code}

Sample 2: Proxy user with token

{code}
2017-10-27 15:18:41,306 [Thread-16] INFO  hdfs.DFSClient 
(DFSClient.java:getDelegationToken(685)) - Created token for hdfs: 
HDFS_DELEGATION_TOKEN owner=hdfs/localh...@example.com, renewer=oozie, 
realUser=, issueDate=1509142721306, maxDate=1509747521306, sequenceNumber=3, 
masterKeyId=2 on 127.0.0.1:54702
2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2002)) - Current UGI: oozie_user 
(auth:PROXY) via oozie/localh...@example.com (auth:KERBEROS)
2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2004)) - +token:Kind: kms-dt, Service: 
127.0.0.1:54698, Ident: (kms-dt owner=oozie_user, renewer=oozie, 
realUser=oozie, issueDate=1509142721275, maxDate=1509747521275, 
sequenceNumber=2, masterKeyId=2)
2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2004)) - +token:Kind: 
HDFS_DELEGATION_TOKEN, Service: 127.0.0.1:54702, Ident: (token for hdfs: 
HDFS_DELEGATION_TOKEN owner=hdfs/localh...@example.com, renewer=oozie, 
realUser=, issueDate=1509142721256, maxDate=1509747521256, sequenceNumber=2, 
masterKeyId=2)
2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2002)) - Real UGI: 
oozie/localh...@example.com (auth:KERBEROS)
2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider 
(UserGroupInformation.java:logUserInfo(2002)) - Login UGI: 
hdfs/localh...@example.com (auth:KERBEROS)
2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider 
(KMSClientProvider.java:run(1020)) - Getting new token from 
http://localhost:54698/kms/v1/, renewer:oozie

{code}


> Improve KMSClientProvider log around delegation token checking
> --------------------------------------------------------------
>
>                 Key: HADOOP-14987
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14987
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.3
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>         Attachments: HADOOP-14987.001.patch, HADOOP-14987.002.patch
>
>
> KMSClientProvider#containsKmsDt uses SecurityUtil.buildTokenService(addr) to 
> build the key to look for KMS-DT from the UGI's token map. The token lookup 
> key here varies depending  on the KMSClientProvider's configuration value for 
> hadoop.security.token.service.use_ip. In certain cases, the token obtained 
> with non-matching hadoop.security.token.service.use_ip setting will not be 
> recognized by KMSClientProvider. This ticket is opened to improve logs for 
> troubleshooting KMS delegation token related issues like this.  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-14987) Improve KMSClientProvider log around delegation token checking

Reply via email to