[ https://issues.apache.org/jira/browse/HDFS-16895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17682330#comment-17682330 ]
ASF GitHub Bot commented on HDFS-16895: --------------------------------------- hchaverri commented on code in PR #5324: URL: https://github.com/apache/hadoop/pull/5324#discussion_r1091307738 ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/NamenodeHeartbeatService.java: ########## @@ -339,8 +341,11 @@ protected NamenodeStatusReport getNamenodeStatusReport() { // should be required at some point for QoS updateSafeModeParameters(serviceURI, report); - // Read the stats from JMX (optional) - updateJMXParameters(webAddress, report); + // Read the stats from JMX (optional) using the login user credentials + SecurityUtil.doAsLoginUser((PrivilegedExceptionAction<Void>) () -> { Review Comment: Only the JMX call is having issues authenticating, but I agree we should expect all requests to be made in the same context. I'll expand the scope of this. > NamenodeHeartbeatService should use credentials of logged in user > ----------------------------------------------------------------- > > Key: HDFS-16895 > URL: https://issues.apache.org/jira/browse/HDFS-16895 > Project: Hadoop HDFS > Issue Type: Bug > Components: rbf > Reporter: Hector Sandoval Chaverri > Priority: Major > Labels: pull-request-available > > NamenodeHeartbeatService has been found to log the errors when querying > protected Namenode JMX APIs. We have been able to work around this by running > kinit with the DFS_ROUTER_KEYTAB_FILE_KEY and > DFS_ROUTER_KERBEROS_PRINCIPAL_KEY on the router. > While investigating a solution, we found that doing the request as part of a > UserGroupInformation.getLoginUser.doAs() call doesn't require to kinit before. > The error logged is: > {noformat} > 2022-08-16 21:35:00,265 ERROR > org.apache.hadoop.hdfs.server.federation.router.FederationUtil: Cannot parse > JMX output for Hadoop:service=NameNode,name=FSNamesystem* from server > ltx1-yugiohnn03-ha1.grid.linkedin.com:50070 > org.apache.hadoop.security.authentication.client.AuthenticationException: > Error while authenticating with endpoint: > http://ltx1-yugiohnn03-ha1.grid.linkedin.com:50070/jmx?qry=Hadoop:service=NameNode,name=FSNamesystem* > at sun.reflect.GeneratedConstructorAccessor55.newInstance(Unknown > Source) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.wrapExceptionWithMessage(KerberosAuthenticator.java:232) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:219) > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:350) > at > org.apache.hadoop.hdfs.web.URLConnectionFactory.openConnection(URLConnectionFactory.java:186) > at > org.apache.hadoop.hdfs.server.federation.router.FederationUtil.getJmx(FederationUtil.java:82) > at > org.apache.hadoop.hdfs.server.federation.router.NamenodeHeartbeatService.updateJMXParameters(NamenodeHeartbeatService.java:352) > at > org.apache.hadoop.hdfs.server.federation.router.NamenodeHeartbeatService.getNamenodeStatusReport(NamenodeHeartbeatService.java:295) > at > org.apache.hadoop.hdfs.server.federation.router.NamenodeHeartbeatService.updateState(NamenodeHeartbeatService.java:218) > at > org.apache.hadoop.hdfs.server.federation.router.NamenodeHeartbeatService.periodicInvoke(NamenodeHeartbeatService.java:172) > at > org.apache.hadoop.hdfs.server.federation.router.PeriodicService$1.run(PeriodicService.java:178) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:360) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:204) > ... 15 more > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos tgt) > at > sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) > at > sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) > at > sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:336) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:310) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:310) > ... 16 more{noformat} > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org