Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10158

SPNEGO should work with multiple interfaces/SPNs.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.2.0
    • 2.5.0
    • None
    • None
    • Reviewed

    Description

      This is the list of internal servlets added by namenode.

      Name Auth Need to be accessible by end users
      StartupProgressServlet none no
      GetDelegationTokenServlet internal SPNEGO yes
      RenewDelegationTokenServlet internal SPNEGO yes
      CancelDelegationTokenServlet internal SPNEGO yes
      FsckServlet internal SPNEGO yes
      GetImageServlet internal SPNEGO no
      ListPathsServlet token in query yes
      FileDataServlet token in query yes
      FileChecksumServlets token in query yes
      ContentSummaryServlet token in query yes

      GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter.

      If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter.

      If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior.

      Attachments

        1. HADOOP-10158_multiplerealms.patch
          12 kB
          Benoy Antony
        2. HADOOP-10158_multiplerealms.patch
          8 kB
          Benoy Antony
        3. HADOOP-10158_multiplerealms.patch
          6 kB
          Benoy Antony
        4. HADOOP-10158.patch
          13 kB
          Daryn Sharp
        5. HADOOP-10158.patch
          15 kB
          Daryn Sharp
        6. HADOOP-10158.patch
          7 kB
          Daryn Sharp
        7. HADOOP-10158-readkeytab.patch
          6 kB
          Benoy Antony
        8. HADOOP-10158-readkeytab.patch
          5 kB
          Benoy Antony

        Issue Links

          Activity

            People

              daryn Daryn Sharp
              kihwal Kihwal Lee
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: