[ https://issues.apache.org/jira/browse/HADOOP-14987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222958#comment-16222958 ]
Xiaoyu Yao commented on HADOOP-14987: ------------------------------------- Thanks [~xiaochen] for the review. I attached patch v2 that addressed all the comments and fix the unit test failure from Jenkins. Below is a sample output of the debug log output. Sample 1: Kerberos Only (no token) {code} 2017-10-27 14:37:59,738 [Thread-16] INFO kms.KMSClientProvider (KMSClientProvider.java:<init>(396)) - KMSClientProvider for KMS url: http://localhost:53096/kms/v1/ delegation token service: 127.0.0.1:53096 created. 2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2002)) - Current UGI: oozie_user (auth:PROXY) via oozie/localh...@example.com (auth:KERBEROS) 2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2002)) - Real UGI: oozie/localh...@example.com (auth:KERBEROS) 2017-10-27 14:37:59,740 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2002)) - Login UGI: hdfs/localh...@example.com (auth:KERBEROS) {code} Sample 2: Proxy user with token {code} 2017-10-27 15:18:41,306 [Thread-16] INFO hdfs.DFSClient (DFSClient.java:getDelegationToken(685)) - Created token for hdfs: HDFS_DELEGATION_TOKEN owner=hdfs/localh...@example.com, renewer=oozie, realUser=, issueDate=1509142721306, maxDate=1509747521306, sequenceNumber=3, masterKeyId=2 on 127.0.0.1:54702 2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2002)) - Current UGI: oozie_user (auth:PROXY) via oozie/localh...@example.com (auth:KERBEROS) 2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2004)) - +token:Kind: kms-dt, Service: 127.0.0.1:54698, Ident: (kms-dt owner=oozie_user, renewer=oozie, realUser=oozie, issueDate=1509142721275, maxDate=1509747521275, sequenceNumber=2, masterKeyId=2) 2017-10-27 15:18:41,307 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2004)) - +token:Kind: HDFS_DELEGATION_TOKEN, Service: 127.0.0.1:54702, Ident: (token for hdfs: HDFS_DELEGATION_TOKEN owner=hdfs/localh...@example.com, renewer=oozie, realUser=, issueDate=1509142721256, maxDate=1509747521256, sequenceNumber=2, masterKeyId=2) 2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2002)) - Real UGI: oozie/localh...@example.com (auth:KERBEROS) 2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider (UserGroupInformation.java:logUserInfo(2002)) - Login UGI: hdfs/localh...@example.com (auth:KERBEROS) 2017-10-27 15:18:41,308 [Thread-16] DEBUG kms.KMSClientProvider (KMSClientProvider.java:run(1020)) - Getting new token from http://localhost:54698/kms/v1/, renewer:oozie {code} > Improve KMSClientProvider log around delegation token checking > -------------------------------------------------------------- > > Key: HADOOP-14987 > URL: https://issues.apache.org/jira/browse/HADOOP-14987 > Project: Hadoop Common > Issue Type: Improvement > Affects Versions: 2.7.3 > Reporter: Xiaoyu Yao > Assignee: Xiaoyu Yao > Attachments: HADOOP-14987.001.patch, HADOOP-14987.002.patch > > > KMSClientProvider#containsKmsDt uses SecurityUtil.buildTokenService(addr) to > build the key to look for KMS-DT from the UGI's token map. The token lookup > key here varies depending on the KMSClientProvider's configuration value for > hadoop.security.token.service.use_ip. In certain cases, the token obtained > with non-matching hadoop.security.token.service.use_ip setting will not be > recognized by KMSClientProvider. This ticket is opened to improve logs for > troubleshooting KMS delegation token related issues like this. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org