[ https://issues.apache.org/jira/browse/HADOOP-12510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14973245#comment-14973245 ]
Steve Loughran commented on HADOOP-12510: ----------------------------------------- Todd, I absolutely feel your pain here. We have a major problem though: Those strings come up from the kerberos layer, and we generally don't have a clue what's happened down there except that it was a GSSException with some text. And before you think "we could match on the text" for better messages, bear in mind: # the text changes from Java version to version # those same error messages have multiple causes. # normally the token -> keberos backoff is exactly what you want to happen whenever you try to connect as a principal, rather than something downstream; having warnings here is going to create more support calls than before One thing we've proposed is having a keberos diagnostics entry point; any help there would be appreciated. I'm also trying to build up a list of [kerberos error codes and meanings|https://github.com/steveloughran/kerberos_and_hadoop/blob/master/sections/errors.md]; submit a pull request with any extensions or enhancements to that error list and I'll merge it in. > Need improved WARN or ERROR when token based auth fails for kmsclient request > ----------------------------------------------------------------------------- > > Key: HADOOP-12510 > URL: https://issues.apache.org/jira/browse/HADOOP-12510 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Reporter: Todd Grayson > > When token based authentication fails, it would be helpful to have a WARN > event of the failure, as well as a WARN event that alternative forms of > authentication are being attempted. > For example if token based authentication has failed; it appears that there > is a fallback to attempting kerberos authentication. At that point the most > prominent logging is a kerberos GSS error, when the actual issue was a > failure at the token evaluation of a client access request to an HDFS > encrypted zone. > In the example below we are presented with a kerberos error, but the actual > error was a failure of token authorization in an unexpected way. > {code} > 15/08/27 07:35:35 INFO mapreduce.Job: Task Id : > attempt_1440594773177_0021_m_000009_0, Status : FAILED > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > java.io.IOException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > at > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)