briefly mention JAAS

Author: steveloughran

sections/errors.md

@@ -97,6 +97,15 @@ an error about checksums.
 1. Java 8 behaves differently from Java 6 and 7 here which can cause problems
 [(HADOOP-11628](https://issues.apache.org/jira/browse/HADOOP-11628).
 
+## `GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)`
+
+
+Rarely seen. Switching kerberos to use TCP rather than UDP makes it go away
+
+In `krb5.conf`:
+
+    [libdefaults]
+      udp_preference_limit = 1
 
 ## Principal not found
 

sections/jaas.md

@@ -0,0 +1,33 @@
+<!---
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+  
+   http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License. See accompanying LICENSE file.
+-->
+
+
+# JAAS
+
+JAAS is a nightmare from the Enterprise Java Bean era, one which surfaces from the depths to pull the unwary under. You can see its heritage whenever you search for documentation; it's generally related to managing the context of callers to EJB operations.
+
+
+JAAS provides for a standard configuration file format for specifying a *login context*; how code trying to run in a specific context/role should login and authenticate.
+
+As a single jaas.conf file can have multiple contexts, the same file can be used to configure the server and clients of a service, each with different binding information. Different contexts can have different login/auth mechanisms, including Kerberos and LDAP, so that you can even specify different auth mechanisms for different roles.
+
+In Hadoop, the JAAS context is invariably Kerberos when it comes to talking to HDFS, YARN, etc. However, if Zookeeper enters the mix, it may be interacted with differently —and so need a different JAAS context.
+
+Fun facts about JAAS
+
+1. Nobody ever mentions it, but the file takes backslashed-escapes like a Java string.
+1. It needs escaped backlash directory separators on Windows, such as: `C:\\security\\krb5.conf`. Get that wrong and your code will fail with what will inevitably be an unintuitive message.
+1. Each context must declare the authentication module to use. The kerberos authentication model on IBM JVMs is different from that on Oracle and OpenJDK JVMs. You need to know the target JVM for the context —or create separate contexts for the different JVMs.
+
+Hadoop's UGI class will dynamically create a JAAS context for Hadoop logins, dynamically determining the name of the kerberos module to use. For interacting purely with HDFS and YARN, you may be able to avoid needing to know about or understand JAAS.

sections/secrets.md

@@ -79,6 +79,68 @@ If you want to debug what is happening in SPNEGO, another system property lets y
 Set the env variable `HADOOP_JAAS_DEBUG` to true and UGI will set the "debug" flag on any JAAS
 files it creates
 
+    export HADOOP_JAAS_DEBUG=true
+
+
+On the next Hadoop command, you'll see a trace like
+
+        [UnixLoginModule]: succeeded importing info: 
+          uid = 503
+          gid = 20
+          supp gid = 20
+          supp gid = 501
+          supp gid = 12
+          supp gid = 61
+          supp gid = 79
+          supp gid = 80
+          supp gid = 81
+          supp gid = 98
+          supp gid = 399
+          supp gid = 33
+          supp gid = 100
+          supp gid = 204
+          supp gid = 395
+          supp gid = 398
+    Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
+    Acquire TGT from Cache
+    Principal is stevel@COTHAM
+        [UnixLoginModule]: added UnixPrincipal,
+            UnixNumericUserPrincipal,
+            UnixNumericGroupPrincipal(s),
+           to Subject
+    Commit Succeeded 
+    
+        [UnixLoginModule]: logged out Subject
+        [Krb5LoginModule]: Entering logout
+        [Krb5LoginModule]: logged out Subject
+        [UnixLoginModule]: succeeded importing info: 
+          uid = 503
+          gid = 20
+          supp gid = 20
+          supp gid = 501
+          supp gid = 12
+          supp gid = 61
+          supp gid = 79
+          supp gid = 80
+          supp gid = 81
+          supp gid = 98
+          supp gid = 399
+          supp gid = 33
+          supp gid = 100
+          supp gid = 204
+          supp gid = 395
+          supp gid = 398
+    Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
+    Acquire TGT from Cache
+    Principal is stevel@COTHAM
+        [UnixLoginModule]: added UnixPrincipal,
+            UnixNumericUserPrincipal,
+            UnixNumericGroupPrincipal(s),
+           to Subject
+    Commit Succeeded 
+    
+
+
 ## KRB5CCNAME
 
 The environment variable [`KRB5CCNAME`](http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4/doc/klist.html)