HADOOP-19401: Improve error message when OS can't identify the current user.

[cnauroth]

Description of PR

Under simple auth, UGI identifies the current Hadoop user as the OS user. If the OS can't determine the user, then they receive a cryptic KerberosAuthException, even though Kerberos auth isn't really configured. I've seen this come up for Hadoop processes launched in Docker containers that accidentally specify a UID that's not actually present in the image. We can improve this error so that users have a better understanding of how to fix the problem.

Here is how the Unix user identification flows through the JDK:

https://github.com/openjdk/jdk11u-dev/blob/master/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixPrincipal.java#L65

https://github.com/openjdk/jdk11u-dev/blob/master/src/jdk.security.auth/share/classes/com/sun/security/auth/module/UnixLoginModule.java#L129

https://github.com/openjdk/jdk11u-dev/blob/master/src/jdk.security.auth/share/classes/com/sun/security/auth/module/UnixSystem.java#L55

Ultimately, this is just delegating to native syscalls to getuid and getpwuid:

https://github.com/openjdk/jdk11u-dev/blob/master/src/jdk.security.auth/unix/native/libjaas/Unix.c#L82

How was this patch tested?

One easy way to reproduce this problem is to exec inside the dev container with a non-existent UID:

docker exec -it -u 123 690a92a9a5dc /bin/bash

 _   _           _                    ______
| | | |         | |                   |  _  \
| |_| | __ _  __| | ___   ___  _ __   | | | |_____   __
|  _  |/ _` |/ _` |/ _ \ / _ \| '_ \  | | | / _ \ \ / /
| | | | (_| | (_| | (_) | (_) | |_) | | |/ /  __/\ V /
\_| |_/\__,_|\__,_|\___/ \___/| .__/  |___/ \___| \_(_)
                              | |
                              |_|

This is the standard Hadoop Developer build environment.
This has all the right tools installed required to build
Hadoop from source.

I have no name!@690a92a9a5dc:~/hadoop$ 

Then, run UGI's main entry point:

I have no name!@690a92a9a5dc:/tmp/123/hadoop-3.4.1$ java -cp "$(bin/hadoop classpath)" org.apache.hadoop.security.UserGroupInformation
Getting UGI for current user
Exception in thread "main" org.apache.hadoop.security.KerberosAuthException: failure to login: javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input: name
	at jdk.security.auth/com.sun.security.auth.UnixPrincipal.<init>(UnixPrincipal.java:71)
	at jdk.security.auth/com.sun.security.auth.module.UnixLoginModule.login(UnixLoginModule.java:134)
	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2148)
	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2053)
	at org.apache.hadoop.security.UserGroupInformation.createLoginUser(UserGroupInformation.java:733)
	at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:683)
	at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:590)
	at org.apache.hadoop.security.UserGroupInformation.main(UserGroupInformation.java:2302)

	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2064)
	at org.apache.hadoop.security.UserGroupInformation.createLoginUser(UserGroupInformation.java:733)
	at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:683)
	at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:590)
	at org.apache.hadoop.security.UserGroupInformation.main(UserGroupInformation.java:2302)
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input: name
	at jdk.security.auth/com.sun.security.auth.UnixPrincipal.<init>(UnixPrincipal.java:71)
	at jdk.security.auth/com.sun.security.auth.module.UnixLoginModule.login(UnixLoginModule.java:134)
	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2148)
	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2053)
	at org.apache.hadoop.security.UserGroupInformation.createLoginUser(UserGroupInformation.java:733)
	at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:683)
	at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:590)
	at org.apache.hadoop.security.UserGroupInformation.main(UserGroupInformation.java:2302)

	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:850)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2148)
	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2053)
	... 4 more

This is problematic for two reasons:

1. The NullPointerException from the JDK doesn't point the user toward how to fix the problem.
2. The presence of KerberosAuthException actually misleads people into thinking it's a Kerberos problem, even though this is simple auth.

After the patch, the error indicates a problem with the UID and avoids mentioning Kerberos. This will point users in the right direction of looking at problems with their OS user.

Exception in thread "main" java.io.IOException: Invalid UID, could not determine effective user
	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2087)
	at org.apache.hadoop.security.UserGroupInformation.createLoginUser(UserGroupInformation.java:734)
	at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:684)
	at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:591)
	at org.apache.hadoop.security.UserGroupInformation.main(UserGroupInformation.java:2326)
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input: name
	at jdk.security.auth/com.sun.security.auth.UnixPrincipal.<init>(UnixPrincipal.java:71)
	at jdk.security.auth/com.sun.security.auth.module.UnixLoginModule.login(UnixLoginModule.java:134)
	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2172)
	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2067)
	at org.apache.hadoop.security.UserGroupInformation.createLoginUser(UserGroupInformation.java:734)
	at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:684)
	at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:591)
	at org.apache.hadoop.security.UserGroupInformation.main(UserGroupInformation.java:2326)

	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:850)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2172)
	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2067)
	... 4 more

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[cnauroth]

Unfortunately, I think we're stuck with string matching logic on this. There isn't a more specific exception type to detect. The getCause() is null too.

[cnauroth]

Pre-submit will give this a -1 for no new tests. I don't see a good way to write a unit test for it. It would probably end up relying on things like Docker or elevated permissions that aren't guaranteed to be in place on everyone's CI hosts.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 49s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	40m 49s		trunk passed
+1 💚	compile	20m 33s		trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	compile	18m 9s		trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	checkstyle	1m 15s		trunk passed
+1 💚	mvnsite	1m 35s		trunk passed
+1 💚	javadoc	1m 12s		trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	javadoc	0m 47s		trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	spotbugs	2m 29s		trunk passed
+1 💚	shadedclient	41m 0s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 52s		the patch passed
+1 💚	compile	18m 22s		the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	javac	18m 22s		the patch passed
+1 💚	compile	17m 16s		the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	javac	17m 16s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	1m 14s		the patch passed
+1 💚	mvnsite	1m 37s		the patch passed
+1 💚	javadoc	1m 10s		the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	javadoc	0m 51s		the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	spotbugs	2m 39s		the patch passed
+1 💚	shadedclient	42m 4s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	19m 47s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 2s		The patch does not generate ASF License warnings.
		236m 32s

Subsystem	Report/Notes
Docker	ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7325/1/artifact/out/Dockerfile
GITHUB PR	#7325
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux 141d7f4ec2b8 5.15.0-124-generic #134-Ubuntu SMP Fri Sep 27 20:20:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 36e1b69
Default Java	Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7325/1/testReport/
Max. process+thread count	1295 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7325/1/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[ayushtkn]

LGTM

[steveloughran]

+1

[slfan1989]

+1

[cnauroth]

I committed this to trunk, branch-3.4 and branch-3.3.

@slfan1989 , @steveloughran , @ayushtkn , thanks for the reviews!