Hadoop Common
  1. Hadoop Common
  2. HADOOP-6647

balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Tags:
      security

      Description

      user logs in as hdfs/something@something and tries to run balancer.
      balancer is using NameNode Protocol which authorizes based on server principal key.
      but NameNode key is hdfs/_HOST@.. now. so it fails.
      To fix we need to compare the short names only.

      1. HADOOP-6647.patch
        2 kB
        Boris Shkolnik
      2. HADOOP-6647-BP20.patch
        2 kB
        Boris Shkolnik

        Activity

        Boris Shkolnik created issue -
        Hide
        Boris Shkolnik added a comment -

        for previous version , not for commit

        Show
        Boris Shkolnik added a comment - for previous version , not for commit
        Boris Shkolnik made changes -
        Field Original Value New Value
        Attachment HADOOP-6647-BP20.patch [ 12439325 ]
        Boris Shkolnik made changes -
        Description user logs in as hdfs/dev.ygrid.yahoo.com@DEV.YGRID.YAHOO.COM and tries to run balancer.
        balancer is using NameNode Protocol which authorizes based on server principal key.
        but NameNode key is hdfs/_HOST@.. now. so it fails.
        To fix we need to compare the short names only.
        user logs in as hdfs/something@something and tries to run balancer.
        balancer is using NameNode Protocol which authorizes based on server principal key.
        but NameNode key is hdfs/_HOST@.. now. so it fails.
        To fix we need to compare the short names only.
        Hide
        Allen Wittenauer added a comment -

        Does that mean if I create a fake realm with the same short name I can run balancer?

        Show
        Allen Wittenauer added a comment - Does that mean if I create a fake realm with the same short name I can run balancer?
        Boris Shkolnik made changes -
        Assignee Boris Shkolnik [ boryas ]
        Boris Shkolnik made changes -
        Attachment HADOOP-6647.patch [ 12447754 ]
        Boris Shkolnik made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12447754/HADOOP-6647.patch
        against trunk revision 957074.

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/testReport/
        Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/checkstyle-errors.html
        Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12447754/HADOOP-6647.patch against trunk revision 957074. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/console This message is automatically generated.
        Hide
        Owen O'Malley added a comment -

        Allen,

        The Namenode's configuration defines the mapping from long names to short names. It defaults to:

        *@YOUR.DOMAIN -> *

        With that mapping, someone coming in from another domain will fail, even with the cross-realm stuff set up.

        hdfs@BAD.DOMAIN fails....

        At Yahoo, we have two domains and we have rules for exactly how they map, but they amount to:

        *@YGRID.YAHOO.COM -> *
        *@CORP.YAHOO.COM -> *

        So those two realms work, but anything else will fail. Depending on the translation that operations defines, they can make a cluster insecure.

        joe@CORP.YAHOO.COM -> root

        would be really convenient for joe, but not secure. grin

        Show
        Owen O'Malley added a comment - Allen, The Namenode's configuration defines the mapping from long names to short names. It defaults to: *@YOUR.DOMAIN -> * With that mapping, someone coming in from another domain will fail, even with the cross-realm stuff set up. hdfs@BAD.DOMAIN fails.... At Yahoo, we have two domains and we have rules for exactly how they map, but they amount to: *@YGRID.YAHOO.COM -> * *@CORP.YAHOO.COM -> * So those two realms work, but anything else will fail. Depending on the translation that operations defines, they can make a cluster insecure. joe@CORP.YAHOO.COM -> root would be really convenient for joe, but not secure. grin
        Hide
        Devaraj Das added a comment -

        +1

        Show
        Devaraj Das added a comment - +1
        Hide
        Boris Shkolnik added a comment -

        committed to trunk.

        javadoc warning is related to use of "Sun proprietary API and may be removed in a future release" packages introduces elsewhere.

        Show
        Boris Shkolnik added a comment - committed to trunk. javadoc warning is related to use of "Sun proprietary API and may be removed in a future release" packages introduces elsewhere.
        Boris Shkolnik made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Hadoop Flags [Reviewed]
        Resolution Fixed [ 1 ]
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #324 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/324/)
        HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #324 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/324/ ) HADOOP-6647 . balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk #392 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/392/)
        HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk #392 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/392/ ) HADOOP-6647 . balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Patch Available Patch Available
        95d 1h 49m 1 Boris Shkolnik 22/Jun/10 23:18
        Patch Available Patch Available Resolved Resolved
        19d 23h 3m 1 Boris Shkolnik 12/Jul/10 22:21

          People

          • Assignee:
            Boris Shkolnik
            Reporter:
            Boris Shkolnik
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development