HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken() (stevel)

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -246,6 +246,9 @@ Trunk (Unreleased)
     HADOOP-12436. GlobPattern regex library has performance issues with
     wildcard characters (Matthew Paduano via aw)
 
+    HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken()
+    (stevel)
+
   BUG FIXES
 
     HADOOP-11473. test-patch says "-1 overall" even when all checks are +1

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java

@@ -32,6 +32,7 @@ import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 
 import javax.security.auth.callback.Callback;
@@ -81,6 +82,7 @@ import com.google.re2j.Pattern;
 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
 @InterfaceStability.Evolving
 public class SaslRpcClient {
+  // This log is public as it is referenced in tests
   public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
 
   private final UserGroupInformation ugi;
@@ -122,7 +124,6 @@ public class SaslRpcClient {
     return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null;
   }
 
-
   // the RPC Client has an inelegant way of handling expiration of TGTs
   // acquired via a keytab.  any connection failure causes a relogin, so
   // the Client needs to know what authMethod was being attempted if an
@@ -172,14 +173,13 @@ public class SaslRpcClient {
       throw new AccessControlException(
           "Client cannot authenticate via:" + serverAuthMethods);
     }
-    if (LOG.isDebugEnabled()) {
+    if (LOG.isDebugEnabled() && selectedAuthType != null) {
       LOG.debug("Use " + selectedAuthType.getMethod() +
           " authentication for protocol " + protocol.getSimpleName());
     }
     return selectedAuthType;
   }
 
-
   private boolean isValidAuthType(SaslAuth authType) {
     AuthMethod authMethod;
     try {
@@ -218,7 +218,9 @@ public class SaslRpcClient {
       case TOKEN: {
         Token<?> token = getServerToken(authType);
         if (token == null) {
-          return null; // tokens aren't supported or user doesn't have one
+          LOG.debug("tokens aren't supported for this protocol" +
+              " or user doesn't have one");
+          return null;
         }
         saslCallback = new SaslClientCallbackHandler(token);
         break;
@@ -226,11 +228,13 @@ public class SaslRpcClient {
       case KERBEROS: {
         if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
             AuthMethod.KERBEROS) {
-          return null; // client isn't using kerberos
+          LOG.debug("client isn't using kerberos");
+          return null;
         }
         String serverPrincipal = getServerPrincipal(authType);
         if (serverPrincipal == null) {
-          return null; // protocol doesn't use kerberos
+          LOG.debug("protocol doesn't use kerberos");
+          return null;
         }
         if (LOG.isDebugEnabled()) {
           LOG.debug("RPC Server's Kerberos principal name for protocol="
@@ -256,22 +260,20 @@ public class SaslRpcClient {
    * Try to locate the required token for the server.
    * 
    * @param authType of the SASL client
-   * @return Token<?> for server, or null if no token available
+   * @return Token for server, or null if no token available
    * @throws IOException - token selector cannot be instantiated
    */
   private Token<?> getServerToken(SaslAuth authType) throws IOException {
     TokenInfo tokenInfo = SecurityUtil.getTokenInfo(protocol, conf);
-    LOG.debug("Get token info proto:"+protocol+" info:"+tokenInfo);
+    LOG.debug("Get token info proto:" + protocol + " info:" + tokenInfo);
     if (tokenInfo == null) { // protocol has no support for tokens
       return null;
     }
     TokenSelector<?> tokenSelector = null;
     try {
       tokenSelector = tokenInfo.value().newInstance();
-    } catch (InstantiationException e) {
-      throw new IOException(e.toString());
-    } catch (IllegalAccessException e) {
-      throw new IOException(e.toString());
+    } catch (InstantiationException | IllegalAccessException e) {
+      throw new IOException(e.toString(), e);
     }
     return tokenSelector.selectToken(
         SecurityUtil.buildTokenService(serverAddr), ugi.getTokens());
@@ -288,7 +290,7 @@ public class SaslRpcClient {
   @VisibleForTesting
   String getServerPrincipal(SaslAuth authType) throws IOException {
     KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
-    LOG.debug("Get kerberos info proto:"+protocol+" info:"+krbInfo);
+    LOG.debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
     if (krbInfo == null) { // protocol has no support for kerberos
       return null;
     }
@@ -337,7 +339,6 @@ public class SaslRpcClient {
     return serverPrincipal;
   }
 
-
   /**
    * Do client side SASL authentication with server via the given InputStream
    * and OutputStream
@@ -510,7 +511,7 @@ public class SaslRpcClient {
     String qop = (String) saslClient.getNegotiatedProperty(Sasl.QOP);
     // SASL wrapping is only used if the connection has a QOP, and
     // the value is not auth.  ex. auth-int & auth-priv
-    return qop != null && !"auth".equalsIgnoreCase(qop);
+    return qop != null && !"auth".toLowerCase(Locale.ENGLISH).equals(qop);
   }
 
   /**
@@ -534,8 +535,8 @@ public class SaslRpcClient {
    * otherwise return original stream.  Can be called only after
    * saslConnect() has been called.
    * 
-   * @param in - InputStream used to make the connection
-   * @return InputStream that may be using SASL unwrap
+   * @param out - OutputStream used to make the connection
+   * @return OutputStream that may be using wrapping
    * @throws IOException
    */
   public OutputStream getOutputStream(OutputStream out) throws IOException {