[jira] [Created] (HADOOP-11291) Log the cause of SASL connection failures

Mon, 10 Nov 2014 11:53:18 -0800 

Stephen Chu created HADOOP-11291:
------------------------------------

             Summary: Log the cause of SASL connection failures
                 Key: HADOOP-11291
                 URL: https://issues.apache.org/jira/browse/HADOOP-11291
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 2.5.0
            Reporter: Stephen Chu
            Assignee: Stephen Chu
            Priority: Minor


{{UGI#doAs}} will no longer log a PriviledgedActionException unless 
LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was 
decided that users calling {{UGI#doAs}} should be responsible for logging the 
error when catching an exception. Also, the log was confusing in certain 
situations (see more details in HADOOP-10015).

However, as Daryn noted, this log message was very helpful in cases of 
debugging security issues.

As an example, we would use to see this in the DN logs before HADOOP-10015:
{code}
2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: 
PriviledgedActionException as:hdfs/hosta....@realm.com (auth:KERBEROS) 
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Generic error 
(description in e-text) (60) - NO PREAUTH)]
2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup 
connection for hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: 
PriviledgedActionException as:hdfs/hosta....@realm.com (auth:KERBEROS) 
cause:java.io.IOException: Couldn't setup connection for 
hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
{code}

After the fix went in, the DN was upgraded, and only logs:
{code}
2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup 
connection for hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: 
Problem connecting to server: hostB.com/101.01.010:8022
{code}

It'd be good to add more logging information about the cause of a SASL 
connection failure.

Thanks to [~qwertymaniac] for reporting this.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to