Hadoop Common
  1. Hadoop Common
  2. HADOOP-6647

balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Tags:
      security

      Description

      user logs in as hdfs/something@something and tries to run balancer.
      balancer is using NameNode Protocol which authorizes based on server principal key.
      but NameNode key is hdfs/_HOST@.. now. so it fails.
      To fix we need to compare the short names only.

      1. HADOOP-6647-BP20.patch
        2 kB
        Boris Shkolnik
      2. HADOOP-6647.patch
        2 kB
        Boris Shkolnik

        Activity

        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk #392 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/392/)
        HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk #392 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/392/ ) HADOOP-6647 . balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #324 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/324/)
        HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #324 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/324/ ) HADOOP-6647 . balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment
        Hide
        Boris Shkolnik added a comment -

        committed to trunk.

        javadoc warning is related to use of "Sun proprietary API and may be removed in a future release" packages introduces elsewhere.

        Show
        Boris Shkolnik added a comment - committed to trunk. javadoc warning is related to use of "Sun proprietary API and may be removed in a future release" packages introduces elsewhere.
        Hide
        Devaraj Das added a comment -

        +1

        Show
        Devaraj Das added a comment - +1
        Hide
        Owen O'Malley added a comment -

        Allen,

        The Namenode's configuration defines the mapping from long names to short names. It defaults to:

        *@YOUR.DOMAIN -> *

        With that mapping, someone coming in from another domain will fail, even with the cross-realm stuff set up.

        hdfs@BAD.DOMAIN fails....

        At Yahoo, we have two domains and we have rules for exactly how they map, but they amount to:

        *@YGRID.YAHOO.COM -> *
        *@CORP.YAHOO.COM -> *

        So those two realms work, but anything else will fail. Depending on the translation that operations defines, they can make a cluster insecure.

        joe@CORP.YAHOO.COM -> root

        would be really convenient for joe, but not secure. grin

        Show
        Owen O'Malley added a comment - Allen, The Namenode's configuration defines the mapping from long names to short names. It defaults to: *@YOUR.DOMAIN -> * With that mapping, someone coming in from another domain will fail, even with the cross-realm stuff set up. hdfs@BAD.DOMAIN fails.... At Yahoo, we have two domains and we have rules for exactly how they map, but they amount to: *@YGRID.YAHOO.COM -> * *@CORP.YAHOO.COM -> * So those two realms work, but anything else will fail. Depending on the translation that operations defines, they can make a cluster insecure. joe@CORP.YAHOO.COM -> root would be really convenient for joe, but not secure. grin
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12447754/HADOOP-6647.patch
        against trunk revision 957074.

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/testReport/
        Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/checkstyle-errors.html
        Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12447754/HADOOP-6647.patch against trunk revision 957074. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/592/console This message is automatically generated.
        Hide
        Allen Wittenauer added a comment -

        Does that mean if I create a fake realm with the same short name I can run balancer?

        Show
        Allen Wittenauer added a comment - Does that mean if I create a fake realm with the same short name I can run balancer?
        Hide
        Boris Shkolnik added a comment -

        for previous version , not for commit

        Show
        Boris Shkolnik added a comment - for previous version , not for commit

          People

          • Assignee:
            Boris Shkolnik
            Reporter:
            Boris Shkolnik
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development