[
https://issues.apache.org/jira/browse/HADOOP-11291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Chu updated HADOOP-11291:
---------------------------------
Attachment: HADOOP-11291.1.patch
Attaching a patch that adds the cause to the "Couldn't setup connection" log in
handleSaslConnectionFailure.
Also, for troubleshooters, it'll be useful to get the stacktrace in this
situation, so also added printing of the stacktrace of the cause.
> Log the cause of SASL connection failures
> -----------------------------------------
>
> Key: HADOOP-11291
> URL: https://issues.apache.org/jira/browse/HADOOP-11291
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.5.0
> Reporter: Stephen Chu
> Assignee: Stephen Chu
> Priority: Minor
> Labels: supportability
> Attachments: HADOOP-11291.1.patch
>
>
> {{UGI#doAs}} will no longer log a PriviledgedActionException unless
> LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was
> decided that users calling {{UGI#doAs}} should be responsible for logging the
> error when catching an exception. Also, the log was confusing in certain
> situations (see more details in HADOOP-10015).
> However, as Daryn noted, this log message was very helpful in cases of
> debugging security issues.
> As an example, we would use to see this in the DN logs before HADOOP-10015:
> {code}
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation:
> PriviledgedActionException as:hdfs/hosta....@realm.com (auth:KERBEROS)
> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Generic error
> (description in e-text) (60) - NO PREAUTH)]
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup
> connection for hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
> 2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation:
> PriviledgedActionException as:hdfs/hosta....@realm.com (auth:KERBEROS)
> cause:java.io.IOException: Couldn't setup connection for
> hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
> {code}
> After the fix went in, the DN was upgraded, and only logs:
> {code}
> 2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup
> connection for hdfs/hosta....@realm.com to hostB.com/101.01.010:8022
> 2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode:
> Problem connecting to server: hostB.com/101.01.010:8022
> {code}
> It'd be good to add more logging information about the cause of a SASL
> connection failure.
> Thanks to [~qwertymaniac] for reporting this.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
