[
https://issues.apache.org/jira/browse/HADOOP-12510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14973245#comment-14973245
]
Steve Loughran commented on HADOOP-12510:
-----------------------------------------
Todd, I absolutely feel your pain here.
We have a major problem though: Those strings come up from the kerberos layer,
and we generally don't have a clue what's happened down there except that it
was a GSSException with some text. And before you think "we could match on the
text" for better messages, bear in mind:
# the text changes from Java version to version
# those same error messages have multiple causes.
# normally the token -> keberos backoff is exactly what you want to happen
whenever you try to connect as a principal, rather than something downstream;
having warnings here is going to create more support calls than before
One thing we've proposed is having a keberos diagnostics entry point; any help
there would be appreciated.
I'm also trying to build up a list of [kerberos error codes and
meanings|https://github.com/steveloughran/kerberos_and_hadoop/blob/master/sections/errors.md];
submit a pull request with any extensions or enhancements to that error list
and I'll merge it in.
> Need improved WARN or ERROR when token based auth fails for kmsclient request
> -----------------------------------------------------------------------------
>
> Key: HADOOP-12510
> URL: https://issues.apache.org/jira/browse/HADOOP-12510
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Todd Grayson
>
> When token based authentication fails, it would be helpful to have a WARN
> event of the failure, as well as a WARN event that alternative forms of
> authentication are being attempted.
> For example if token based authentication has failed; it appears that there
> is a fallback to attempting kerberos authentication. At that point the most
> prominent logging is a kerberos GSS error, when the actual issue was a
> failure at the token evaluation of a client access request to an HDFS
> encrypted zone.
> In the example below we are presented with a kerberos error, but the actual
> error was a failure of token authorization in an unexpected way.
> {code}
> 15/08/27 07:35:35 INFO mapreduce.Job: Task Id :
> attempt_1440594773177_0021_m_000009_0, Status : FAILED
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)
> java.io.IOException:
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)
> at
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
