Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10158

SPNEGO should work with multiple interfaces/SPNs.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.5.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      This is the list of internal servlets added by namenode.

      Name Auth Need to be accessible by end users
      StartupProgressServlet none no
      GetDelegationTokenServlet internal SPNEGO yes
      RenewDelegationTokenServlet internal SPNEGO yes
      CancelDelegationTokenServlet internal SPNEGO yes
      FsckServlet internal SPNEGO yes
      GetImageServlet internal SPNEGO no
      ListPathsServlet token in query yes
      FileDataServlet token in query yes
      FileChecksumServlets token in query yes
      ContentSummaryServlet token in query yes

      GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter.

      If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter.

      If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior.

        Attachments

        1. HADOOP-10158-readkeytab.patch
          5 kB
          Benoy Antony
        2. HADOOP-10158-readkeytab.patch
          6 kB
          Benoy Antony
        3. HADOOP-10158.patch
          7 kB
          Daryn Sharp
        4. HADOOP-10158.patch
          15 kB
          Daryn Sharp
        5. HADOOP-10158.patch
          13 kB
          Daryn Sharp
        6. HADOOP-10158_multiplerealms.patch
          6 kB
          Benoy Antony
        7. HADOOP-10158_multiplerealms.patch
          8 kB
          Benoy Antony
        8. HADOOP-10158_multiplerealms.patch
          12 kB
          Benoy Antony

          Issue Links

            Activity

              People

              • Assignee:
                daryn Daryn Sharp
                Reporter:
                kihwal Kihwal Lee
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: