[ https://issues.apache.org/jira/browse/HADOOP-11736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14375026#comment-14375026 ]
Hadoop QA commented on HADOOP-11736: ------------------------------------ {color:green}+1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12706390/HADOOP-11736.1.patch against trunk revision 4cd54d9. {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 1 new or modified test files. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javadoc{color}. There were no new javadoc warning messages. {color:green}+1 eclipse:eclipse{color}. The patch built with eclipse:eclipse. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 2.0.3) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 core tests{color}. The patch passed unit tests in hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common hadoop-common-project/hadoop-kms. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5982//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5982//console This message is automatically generated. > KMSClientProvider addDelegationToken does not notify callers when Auth > failure is due to Proxy User configuration a > -------------------------------------------------------------------------------------------------------------------- > > Key: HADOOP-11736 > URL: https://issues.apache.org/jira/browse/HADOOP-11736 > Project: Hadoop Common > Issue Type: Bug > Reporter: Arun Suresh > Assignee: Arun Suresh > Attachments: HADOOP-11736.1.patch, HDFS-7970.1.patch > > > When a long running process such as YARN RM tries to create/renew a KMS > DelegationToken on behalf of proxy user and if the Proxy user rules are not > correctly configured to allow yarn to proxy the required user, then the > following is found in the RM logs : > {noformat} > Unable to add the application to the delegation token renewer. > java.io.IOException: java.lang.reflect.UndeclaredThrowableException > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.addDelegationTokens(KMSClientProvider.java:887) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:132) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:129) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.addDelegationTokens(LoadBalancingKMSClientProvider.java:129) > at > org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.addDelegationTokens(KeyProviderDelegationTokenExtension.java:86) > ...... > ...... > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127) > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:284) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:165) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:371) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:874) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:869) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671) > ... 21 more > {noformat} > This gives no information to the user as to why the call has failed, and > there is generally no way for an admin to know the the ProxyUser setting is > the issue without going thru the code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)