Hadoop Common
  1. Hadoop Common
  2. HADOOP-10158

SPNEGO should work with multiple interfaces/SPNs.

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Critical Critical
    • Resolution: Unresolved
    • Affects Version/s: 2.2.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Target Version/s:

      Description

      This is the list of internal servlets added by namenode.

      Name Auth Need to be accessible by end users
      StartupProgressServlet none no
      GetDelegationTokenServlet internal SPNEGO yes
      RenewDelegationTokenServlet internal SPNEGO yes
      CancelDelegationTokenServlet internal SPNEGO yes
      FsckServlet internal SPNEGO yes
      GetImageServlet internal SPNEGO no
      ListPathsServlet token in query yes
      FileDataServlet token in query yes
      FileChecksumServlets token in query yes
      ContentSummaryServlet token in query yes

      GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter.

      If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter.

      If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior.

      1. HADOOP-10158_multiplerealms.patch
        12 kB
        Benoy Antony
      2. HADOOP-10158_multiplerealms.patch
        8 kB
        Benoy Antony
      3. HADOOP-10158_multiplerealms.patch
        6 kB
        Benoy Antony
      4. HADOOP-10158.patch
        13 kB
        Daryn Sharp
      5. HADOOP-10158.patch
        15 kB
        Daryn Sharp
      6. HADOOP-10158.patch
        7 kB
        Daryn Sharp
      7. HADOOP-10158-readkeytab.patch
        6 kB
        Benoy Antony
      8. HADOOP-10158-readkeytab.patch
        5 kB
        Benoy Antony

        Issue Links

          Activity

          Kihwal Lee created issue -
          Kihwal Lee made changes -
          Field Original Value New Value
          Project Hadoop HDFS [ 12310942 ] Hadoop Common [ 12310240 ]
          Key HDFS-5628 HADOOP-10158
          Affects Version/s 2.2.0 [ 12325048 ]
          Affects Version/s 2.2.0 [ 12325049 ]
          Target Version/s 3.0.0, 2.4.0 [ 12320356, 12324588 ] 2.4.0 [ 12324587 ]
          Kihwal Lee made changes -
          Summary Some namenode servlets should not be internal. SPNEGO should work with multiple interfaces/SPNs.
          Kihwal Lee made changes -
          Assignee Daryn Sharp [ daryn ]
          Daryn Sharp made changes -
          Attachment HADOOP-10158.patch [ 12622229 ]
          Daryn Sharp made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Benoy Antony made changes -
          Attachment HADOOP-10158_multiplerealms.patch [ 12623727 ]
          Benoy Antony made changes -
          Attachment HADOOP-10158_multiplerealms.patch [ 12623729 ]
          Benoy Antony made changes -
          Attachment HADOOP-10158_multiplerealms.patch [ 12625103 ]
          Kihwal Lee made changes -
          Priority Major [ 3 ] Critical [ 2 ]
          Benoy Antony made changes -
          Link This issue is related to HADOOP-10307 [ HADOOP-10307 ]
          Jason Lowe made changes -
          Target Version/s 2.4.0 [ 12326144 ]
          Daryn Sharp made changes -
          Attachment HADOOP-10158.patch [ 12625980 ]
          Benoy Antony made changes -
          Attachment HADOOP-10158-readkeytab.patch [ 12626384 ]
          Benoy Antony made changes -
          Attachment HADOOP-10158-readkeytab.patch [ 12626404 ]
          Benoy Antony made changes -
          Link This issue requires HADOOP-10322 [ HADOOP-10322 ]
          Daryn Sharp made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Daryn Sharp made changes -
          Attachment HADOOP-10158.patch [ 12641527 ]

            People

            • Assignee:
              Daryn Sharp
              Reporter:
              Kihwal Lee
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:

                Development