[jira] [Updated] (HADOOP-11291) Log the cause of SASL connection failures

Mon, 10 Nov 2014 11:53:46 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-11291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Stephen Chu updated HADOOP-11291:
---------------------------------
    Labels: supportability  (was: )

> Log the cause of SASL connection failures
> -----------------------------------------
>
>                 Key: HADOOP-11291
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11291
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>            Priority: Minor
>              Labels: supportability
>
> {{UGI#doAs}} will no longer log a PriviledgedActionException unless 
> LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was 
> decided that users calling {{UGI#doAs}} should be responsible for logging the 
> error when catching an exception. Also, the log was confusing in certain 
> situations (see more details in HADOOP-10015).
> However, as Daryn noted, this log message was very helpful in cases of 
> debugging security issues.
> As an example, we would use to see this in the DN logs before HADOOP-10015:
> {code}
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: 
> PriviledgedActionException as:hdfs/hosta....@realm.com (auth:KERBEROS) 
> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: No valid credentials provided (Mechanism level: Generic error 
> (description in e-text) (60) - NO PREAUTH)]
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup 
> connection for hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: 
> PriviledgedActionException as:hdfs/hosta....@realm.com (auth:KERBEROS) 
> cause:java.io.IOException: Couldn't setup connection for 
> hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
> {code}
> After the fix went in, the DN was upgraded, and only logs:
> {code}
> 2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup 
> connection for hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
> 2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: 
> Problem connecting to server: hostB.com/101.01.010:8022
> {code}
> It'd be good to add more logging information about the cause of a SASL 
> connection failure.
> Thanks to [~qwertymaniac] for reporting this.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to