Hadoop Common
  1. Hadoop Common
  2. HADOOP-10158

SPNEGO should work with multiple interfaces/SPNs.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.5.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      This is the list of internal servlets added by namenode.

      Name Auth Need to be accessible by end users
      StartupProgressServlet none no
      GetDelegationTokenServlet internal SPNEGO yes
      RenewDelegationTokenServlet internal SPNEGO yes
      CancelDelegationTokenServlet internal SPNEGO yes
      FsckServlet internal SPNEGO yes
      GetImageServlet internal SPNEGO no
      ListPathsServlet token in query yes
      FileDataServlet token in query yes
      FileChecksumServlets token in query yes
      ContentSummaryServlet token in query yes

      GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter.

      If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter.

      If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior.

      1. HADOOP-10158_multiplerealms.patch
        12 kB
        Benoy Antony
      2. HADOOP-10158_multiplerealms.patch
        8 kB
        Benoy Antony
      3. HADOOP-10158_multiplerealms.patch
        6 kB
        Benoy Antony
      4. HADOOP-10158.patch
        13 kB
        Daryn Sharp
      5. HADOOP-10158.patch
        15 kB
        Daryn Sharp
      6. HADOOP-10158.patch
        7 kB
        Daryn Sharp
      7. HADOOP-10158-readkeytab.patch
        6 kB
        Benoy Antony
      8. HADOOP-10158-readkeytab.patch
        5 kB
        Benoy Antony

        Issue Links

          Activity

          No work has yet been logged on this issue.

            People

            • Assignee:
              Daryn Sharp
              Reporter:
              Kihwal Lee
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development