[ https://issues.apache.org/jira/browse/HADOOP-11736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Allen Wittenauer updated HADOOP-11736: -------------------------------------- Labels: BB2015-05-TBR (was: ) > KMSClientProvider addDelegationToken does not notify callers when Auth > failure is due to Proxy User configuration a > -------------------------------------------------------------------------------------------------------------------- > > Key: HADOOP-11736 > URL: https://issues.apache.org/jira/browse/HADOOP-11736 > Project: Hadoop Common > Issue Type: Bug > Reporter: Arun Suresh > Assignee: Arun Suresh > Priority: Minor > Labels: BB2015-05-TBR > Attachments: HADOOP-11736.1.patch, HDFS-7970.1.patch > > > When a long running process such as YARN RM tries to create/renew a KMS > DelegationToken on behalf of proxy user and if the Proxy user rules are not > correctly configured to allow yarn to proxy the required user, then the > following is found in the RM logs : > {noformat} > Unable to add the application to the delegation token renewer. > java.io.IOException: java.lang.reflect.UndeclaredThrowableException > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.addDelegationTokens(KMSClientProvider.java:887) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:132) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$1.call(LoadBalancingKMSClientProvider.java:129) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.addDelegationTokens(LoadBalancingKMSClientProvider.java:129) > at > org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.addDelegationTokens(KeyProviderDelegationTokenExtension.java:86) > ...... > ...... > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127) > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:284) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:165) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:371) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:874) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider$2.run(KMSClientProvider.java:869) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671) > ... 21 more > {noformat} > This gives no information to the user as to why the call has failed, and > there is generally no way for an admin to know the the ProxyUser setting is > the issue without going thru the code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)