Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10158

SPNEGO should work with multiple interfaces/SPNs.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.2.0
    • 2.5.0
    • None
    • None
    • Reviewed

    Description

      This is the list of internal servlets added by namenode.

      Name Auth Need to be accessible by end users
      StartupProgressServlet none no
      GetDelegationTokenServlet internal SPNEGO yes
      RenewDelegationTokenServlet internal SPNEGO yes
      CancelDelegationTokenServlet internal SPNEGO yes
      FsckServlet internal SPNEGO yes
      GetImageServlet internal SPNEGO no
      ListPathsServlet token in query yes
      FileDataServlet token in query yes
      FileChecksumServlets token in query yes
      ContentSummaryServlet token in query yes

      GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter.

      If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter.

      If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior.

      Attachments

        1. HADOOP-10158.patch
          7 kB
          Daryn Sharp
        2. HADOOP-10158_multiplerealms.patch
          6 kB
          Benoy Antony
        3. HADOOP-10158_multiplerealms.patch
          8 kB
          Benoy Antony
        4. HADOOP-10158_multiplerealms.patch
          12 kB
          Benoy Antony
        5. HADOOP-10158.patch
          15 kB
          Daryn Sharp
        6. HADOOP-10158-readkeytab.patch
          5 kB
          Benoy Antony
        7. HADOOP-10158-readkeytab.patch
          6 kB
          Benoy Antony
        8. HADOOP-10158.patch
          13 kB
          Daryn Sharp

        Issue Links

          is depended upon by

          Bug - A problem which impairs or prevents the functions of the product. OOZIE-1865 Oozie servers can't talk to each other with Oozie HA and Kerberos

          • Major - Major loss of function.
          • Closed
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-10307 Support multiple Authentication mechanisms for HTTP

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-10702 KerberosAuthenticationHandler does not log the principal names correctly

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          requires

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-10322 Add ability to read principal names from a keytab

          • Major - Major loss of function.
          • Closed

          Activity

            People

              daryn Daryn Sharp
              kihwal Kihwal Lee
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: