[
https://issues.apache.org/jira/browse/SLIDER-1035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15089220#comment-15089220
]
Steve Loughran commented on SLIDER-1035:
----------------------------------------
And when the user is logged out. command fails, error "41" (i.e. 401)
{code}
~/P/H/P/s/slider-funtest (feature/SLIDER-1035_Kdiag_enhancements) $ slider kdiag
2016-01-08 13:50:43,037 [main] DEBUG utility.LaunchedWorkflowCompositeService
(bindArgs(80)) - Binding 1 Arguments:
2016-01-08 13:50:43,040 [main] DEBUG utility.LaunchedWorkflowCompositeService
(bindArgs(86)) - "kdiag"
2016-01-08 13:50:43,179 [main] DEBUG params.CommonArgs (validate(241)) -
action=kdiag
2016-01-08 13:50:43,507 [main] DEBUG tools.ConfigHelper (loadFromResource(515))
- loaded resources from
file:/Users/stevel/Projects/Hortonworks/Projects/clusterconfigs/clusters/devix/slider/slider-client.xml
== Kerberos Diagnostics scan at Fri Jan 08 13:50:43 GMT 2016 ==
Maximum AES encryption key length 2147483647
== System Properties ==
java.security.krb5.conf = "(unset)"
java.security.krb5.realm = "(unset)"
sun.security.krb5.debug = "(unset)"
sun.security.spnego.debug = "(unset)"
== Environment Variables ==
HADOOP_JAAS_DEBUG = "true"
KRB5CCNAME = "(unset)"
HADOOP_USER_NAME = "(unset)"
HADOOP_PROXY_USER = "(unset)"
HADOOP_TOKEN_FILE_LOCATION = "(unset)"
hadoop.kerberos.kinit.command = "kinit"
hadoop.security.authentication = "kerberos"
hadoop.security.authorization = "true"
hadoop.kerberos.min.seconds.before.relogin = "(unset)"
hadoop.security.dns.interface = "(unset)"
hadoop.security.dns.nameserver = "(unset)"
hadoop.rpc.protection = "authentication"
hadoop.security.saslproperties.resolver.class = "(unset)"
hadoop.security.crypto.codec.classes = "(unset)"
hadoop.security.group.mapping =
"org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback"
hadoop.security.impersonation.provider.class = "(unset)"
dfs.data.transfer.protection = "(unset)"
hadoop.kerberos.kinit.command = kinit
Executable kinit is relative -must be on the PATH
== Resolving SASL property hadoop.security.saslproperties.resolver.class ==
Resolver is class org.apache.hadoop.security.SaslPropertiesResolver
== Resolving SASL property dfs.data.transfer.saslproperties.resolver.class ==
Resolver is class org.apache.hadoop.security.SaslPropertiesResolver
== Logging in ==
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
2016-01-08 13:50:44,383 [main] DEBUG security.Groups
(getUserToGroupsMappingService(301)) - Creating new Groups object
2016-01-08 13:50:44,386 [main] DEBUG
security.JniBasedUnixGroupsMappingWithFallback (<init>(45)) - Group mapping
impl=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
2016-01-08 13:50:44,507 [main] DEBUG security.Groups (<init>(112)) - Group
mapping impl=org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback;
cacheTimeout=300000; warningDeltaMs=5000
[UnixLoginModule]: succeeded importing info:
uid = 503
gid = 20
supp gid = 20
supp gid = 501
supp gid = 12
supp gid = 61
supp gid = 79
supp gid = 80
supp gid = 81
supp gid = 98
supp gid = 399
supp gid = 33
supp gid = 100
supp gid = 204
supp gid = 395
supp gid = 398
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt
true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is
false principal is null tryFirstPass is false useFirstPass is false storePass
is false clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is /Users/stevel/krb5cc_stevel
>> Acquire default native Credentials
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> Found no TGT's in LSA
Principal is null
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain Princpal Name for authentication
2016-01-08 13:50:44,536 [main] DEBUG security.UserGroupInformation (login(221))
- hadoop login
[UnixLoginModule]: added UnixPrincipal,
UnixNumericUserPrincipal,
UnixNumericGroupPrincipal(s),
to Subject
2016-01-08 13:50:44,537 [main] DEBUG security.UserGroupInformation
(commit(156)) - hadoop login commit
2016-01-08 13:50:44,538 [main] DEBUG security.UserGroupInformation
(commit(170)) - using kerberos user:null
2016-01-08 13:50:44,540 [main] DEBUG security.UserGroupInformation
(commit(186)) - using local user:UnixPrincipal: stevel
== Log in user ==
UGI=stevel (auth:KERBEROS)
2016-01-08 13:50:44,540 [main] DEBUG security.UserGroupInformation
(commit(192)) - Using user: "UnixPrincipal: stevel" with name stevel
Has kerberos credentials: false
Authentication method: KERBEROS
Real Authentication method: KERBEROS
== Group names ==
2016-01-08 13:50:44,540 [main] DEBUG security.UserGroupInformation
(commit(202)) - User entry: "stevel"
2016-01-08 13:50:44,542 [main] DEBUG security.UserGroupInformation
(loginUserFromSubject(826)) - UGI loginUser:stevel (auth:KERBEROS)
staff
access_bpf
everyone
localaccounts
_appserverusr
admin
_appserveradm
_lpadmin
com.apple.access_ssh
_appstore
_lpoperator
_developer
com.apple.access_ftp
com.apple.access_screensharing
== Credentials ==
== Secret keys ==
(none)
== Token Count: 0 ==
Ticket based login: false
Keytab based login: false
2016-01-08 13:50:44,584 [main] ERROR client.SliderClient (actionKDiag(3801)) -
org.apache.hadoop.security.KerberosDiags$KerberosDiagsFailure: Login user: No
kerberos credentials for stevel (auth:KERBEROS)
2016-01-08 13:50:44,585 [main] DEBUG client.SliderClient (actionKDiag(3802)) -
org.apache.hadoop.security.KerberosDiags$KerberosDiagsFailure: Login user: No
kerberos credentials for stevel (auth:KERBEROS)
org.apache.hadoop.security.KerberosDiags$KerberosDiagsFailure: Login user: No
kerberos credentials for stevel (auth:KERBEROS)
at org.apache.hadoop.security.KerberosDiags.fail(KerberosDiags.java:395)
at
org.apache.hadoop.security.KerberosDiags.failif(KerberosDiags.java:409)
at
org.apache.hadoop.security.KerberosDiags.validateUser(KerberosDiags.java:275)
at
org.apache.hadoop.security.KerberosDiags.execute(KerberosDiags.java:172)
at
org.apache.slider.client.SliderClient.actionKDiag(SliderClient.java:3799)
at org.apache.slider.client.SliderClient.exec(SliderClient.java:397)
at
org.apache.slider.client.SliderClient.runService(SliderClient.java:326)
at
org.apache.slider.core.main.ServiceLauncher.launchService(ServiceLauncher.java:188)
at
org.apache.slider.core.main.ServiceLauncher.launchServiceRobustly(ServiceLauncher.java:475)
at
org.apache.slider.core.main.ServiceLauncher.launchServiceAndExit(ServiceLauncher.java:403)
at
org.apache.slider.core.main.ServiceLauncher.serviceMain(ServiceLauncher.java:630)
at org.apache.slider.Slider.main(Slider.java:49)
~/P/H/P/s/slider-funtest (feature/SLIDER-1035_Kdiag_enhancements) $ echo $status
41
{code}
> Kdiag enhancements
> ------------------
>
> Key: SLIDER-1035
> URL: https://issues.apache.org/jira/browse/SLIDER-1035
> Project: Slider
> Issue Type: Improvement
> Components: client, security
> Affects Versions: Slider 0.90.2
> Environment: Kerberos
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Fix For: Slider 0.91
>
>
> Proposed enhancements
> # make easier to run server-side. the sysprops to enable com.sun debugging
> should be cached and then restored —and only set if a -verbose flag is set.
> # check for Java Crypto Extensions having full key length; fail fast if not
> # list tokens
> # add option to check networking (hostname resolves)
> # look up KDCs and fail if none are reachable
> # maybe each {{title()}} call should force flush stderr, to try and keep JDK
> output in sync with stdout.
> # am to have option to display this and also fail fast
> # implement `--services` probes for : yarn, hdfs, registry, timeline. This
> can't go into any hadoop-common lib, a list of probes classes can be provided
> to execute as the provided UGI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
