Hadoop Common
  1. Hadoop Common
  2. HADOOP-7215

RPC clients must connect over a network interface corresponding to the host name in the client's kerberos principal key

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.20.203.0, 0.21.1, 0.23.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      HADOOP-7104 introduced a change where RPC server matches client's hostname with the hostname specified in the client's Kerberos principal name. RPC client binds the socket to a random local address, which might not match the hostname specified in the principal name. This results authorization failure of the client at the server.

      1. HADOOP-7215.1.trunk.patch
        8 kB
        Suresh Srinivas
      2. HADOOP-7215.2.trunk.patch
        8 kB
        Suresh Srinivas
      3. HADOOP-7215.2xx.patch
        6 kB
        Suresh Srinivas
      4. HADOOP-7215.3.trunk.patch
        8 kB
        Suresh Srinivas
      5. HADOOP-7215.debug.patch
        8 kB
        Suresh Srinivas
      6. HADOOP-7215.debug.patch
        8 kB
        Suresh Srinivas
      7. hadoop-7215-0.22.patch
        7 kB
        Benoy Antony

        Issue Links

          Activity

          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-22-branch #106 (See https://builds.apache.org/job/Hadoop-Common-22-branch/106/)
          HADOOP-7215. RPC clients must use network interface corresponding to the host in the client's kerberos principal key. Contributed by Suresh Srinivas and Benoy Antony. (Revision 1346241)

          Result = SUCCESS
          shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346241
          Files :

          • /hadoop/common/branches/branch-0.22/common/CHANGES.txt
          • /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/ipc/Client.java
          • /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/net/NetUtils.java
          • /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/SecurityUtil.java
          • /hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
          Show
          Hudson added a comment - Integrated in Hadoop-Common-22-branch #106 (See https://builds.apache.org/job/Hadoop-Common-22-branch/106/ ) HADOOP-7215 . RPC clients must use network interface corresponding to the host in the client's kerberos principal key. Contributed by Suresh Srinivas and Benoy Antony. (Revision 1346241) Result = SUCCESS shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346241 Files : /hadoop/common/branches/branch-0.22/common/CHANGES.txt /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/ipc/Client.java /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/net/NetUtils.java /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/SecurityUtil.java /hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
          Hide
          Konstantin Shvachko added a comment -

          I just committed this to branch 0.22.1. Thank you Benoy.

          Show
          Konstantin Shvachko added a comment - I just committed this to branch 0.22.1. Thank you Benoy.
          Hide
          Benoy Antony added a comment -

          Patch for 22

          Show
          Benoy Antony added a comment - Patch for 22
          Hide
          Owen O'Malley added a comment -

          Closing for 0.20.203.0

          Show
          Owen O'Malley added a comment - Closing for 0.20.203.0
          Hide
          Suresh Srinivas added a comment -

          The patch is committed.

          Show
          Suresh Srinivas added a comment - The patch is committed.
          Hide
          Tom White added a comment -

          Can this be closed? Looks like it's been committed.

          Show
          Tom White added a comment - Can this be closed? Looks like it's been committed.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12475249/HADOOP-7215.2xx.patch
          against trunk revision 1094750.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          -1 patch. The patch command could not apply the patch.

          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/353//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12475249/HADOOP-7215.2xx.patch against trunk revision 1094750. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/353//console This message is automatically generated.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk #649 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/649/)
          HADOOP-7215. RPC clients must use network interface corresponding to the host in the client's kerberos principal key. Contributed by Suresh Srinivas.

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk #649 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/649/ ) HADOOP-7215 . RPC clients must use network interface corresponding to the host in the client's kerberos principal key. Contributed by Suresh Srinivas.
          Hide
          Jitendra Nath Pandey added a comment -

          +1 for 2xx patch.

          Show
          Jitendra Nath Pandey added a comment - +1 for 2xx patch.
          Hide
          Todd Lipcon added a comment -

          Looks good to me, too. Thanks Suresh.

          Show
          Todd Lipcon added a comment - Looks good to me, too. Thanks Suresh.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #541 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/541/)
          HADOOP-7215. RPC clients must use network interface corresponding to the host in the client's kerberos principal key. Contributed by Suresh Srinivas.

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #541 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/541/ ) HADOOP-7215 . RPC clients must use network interface corresponding to the host in the client's kerberos principal key. Contributed by Suresh Srinivas.
          Hide
          Suresh Srinivas added a comment -

          Patch for 203 and 204 version.

          Show
          Suresh Srinivas added a comment - Patch for 203 and 204 version.
          Hide
          Jitendra Nath Pandey added a comment -

          The patch looks good to me. +1

          Show
          Jitendra Nath Pandey added a comment - The patch looks good to me. +1
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12475167/HADOOP-7215.3.trunk.patch
          against trunk revision 1087159.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/330//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/330//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/330//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12475167/HADOOP-7215.3.trunk.patch against trunk revision 1087159. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/330//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/330//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/330//console This message is automatically generated.
          Hide
          Suresh Srinivas added a comment -

          The reason tests are failing is: local host maps to 127.0.1.1 with no interface configured for it.

          Looks like the other tests use 127.0.0.1 for local host. Doing the same for the newly added test.

          Show
          Suresh Srinivas added a comment - The reason tests are failing is: local host maps to 127.0.1.1 with no interface configured for it. Looks like the other tests use 127.0.0.1 for local host. Doing the same for the newly added test.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12475162/HADOOP-7215.debug.patch
          against trunk revision 1087159.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these core unit tests:
          org.apache.hadoop.net.TestNetUtils

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/329//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/329//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/329//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12475162/HADOOP-7215.debug.patch against trunk revision 1087159. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these core unit tests: org.apache.hadoop.net.TestNetUtils +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/329//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/329//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/329//console This message is automatically generated.
          Hide
          Suresh Srinivas added a comment -

          Patch without debug fails. Trying patch with debug again...

          Show
          Suresh Srinivas added a comment - Patch without debug fails. Trying patch with debug again...
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12475157/HADOOP-7215.2.trunk.patch
          against trunk revision 1087159.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these core unit tests:
          org.apache.hadoop.net.TestNetUtils

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/328//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/328//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/328//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12475157/HADOOP-7215.2.trunk.patch against trunk revision 1087159. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these core unit tests: org.apache.hadoop.net.TestNetUtils +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/328//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/328//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/328//console This message is automatically generated.
          Hide
          Suresh Srinivas added a comment -

          With debug log the test did not fail! Trying a new patch again.

          Show
          Suresh Srinivas added a comment - With debug log the test did not fail! Trying a new patch again.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12475156/HADOOP-7215.debug.patch
          against trunk revision 1087159.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/327//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/327//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/327//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12475156/HADOOP-7215.debug.patch against trunk revision 1087159. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/327//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/327//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/327//console This message is automatically generated.
          Hide
          Suresh Srinivas added a comment -

          For some reason one of the test I am adding fails in hudson test, but works fine on my machine.

          Uploading a debug version of the patch to understand the problem.

          Show
          Suresh Srinivas added a comment - For some reason one of the test I am adding fails in hudson test, but works fine on my machine. Uploading a debug version of the patch to understand the problem.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12475153/HADOOP-7215.1.trunk.patch
          against trunk revision 1087159.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these core unit tests:
          org.apache.hadoop.net.TestNetUtils

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/326//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/326//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/326//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12475153/HADOOP-7215.1.trunk.patch against trunk revision 1087159. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these core unit tests: org.apache.hadoop.net.TestNetUtils +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/326//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/326//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/326//console This message is automatically generated.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12475153/HADOOP-7215.1.trunk.patch
          against trunk revision 1087159.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these core unit tests:
          org.apache.hadoop.net.TestNetUtils

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/325//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/325//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/325//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12475153/HADOOP-7215.1.trunk.patch against trunk revision 1087159. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these core unit tests: org.apache.hadoop.net.TestNetUtils +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/325//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/325//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/325//console This message is automatically generated.
          Hide
          Suresh Srinivas added a comment -

          updated patch

          Show
          Suresh Srinivas added a comment - updated patch
          Hide
          Suresh Srinivas added a comment -

          Attached patch with changes from option(2) from my previous comment. I also cleaned up NetUtils.java warnings related to javadoc.

          Show
          Suresh Srinivas added a comment - Attached patch with changes from option(2) from my previous comment. I also cleaned up NetUtils.java warnings related to javadoc.
          Hide
          Suresh Srinivas added a comment -

          In that case, we have two choices:

          1. Fail at the client side:
            • If the client principal name does not have <part1>/<part2>@realm format, fail it at the client with appropriate error.
            • If the format is right, treat part2 as host name. Just try to bind to it and if bind fails, then the failure occurs at the client it self with appropriate error.
          1. Fail at the server side:
            • If the client principal name does not have <part1>/<part2>@realm format, bind to any local address for the request.
            • If the format is right, treat part2 as host name. If host name is a valid local address, bind to it else bind to any local address. This request will be rejected by the server.

          I am leaning towards (2) because, server is rightly involved in the decision of rejecting the client. It provides a record of this at both the client and the server. This will help debugging on the server side, independent of client.

          Show
          Suresh Srinivas added a comment - In that case, we have two choices: Fail at the client side: If the client principal name does not have <part1>/<part2>@realm format, fail it at the client with appropriate error. If the format is right, treat part2 as host name. Just try to bind to it and if bind fails, then the failure occurs at the client it self with appropriate error. Fail at the server side: If the client principal name does not have <part1>/<part2>@realm format, bind to any local address for the request. If the format is right, treat part2 as host name. If host name is a valid local address, bind to it else bind to any local address. This request will be rejected by the server. I am leaning towards (2) because, server is rightly involved in the decision of rejecting the client. It provides a record of this at both the client and the server. This will help debugging on the server side, independent of client.
          Hide
          Todd Lipcon added a comment -

          Hi Suresh. This seems like a reasonable solution. Maybe we can also check the kerberos info on the protocol interface, and if there's no clientPrincipal set, we can skip all of this? My thinking is that we want to avoid the reverse DNS lookups for the common case of user->cluster communications where no clientPrincipal annotation is present.

          Show
          Todd Lipcon added a comment - Hi Suresh. This seems like a reasonable solution. Maybe we can also check the kerberos info on the protocol interface, and if there's no clientPrincipal set, we can skip all of this? My thinking is that we want to avoid the reverse DNS lookups for the common case of user->cluster communications where no clientPrincipal annotation is present.
          Hide
          Suresh Srinivas added a comment -

          Here is a way to do that at the RPC client:

          1. get part2 from principal name of format <part1>/<part2>@realm and ensure part2 is a host name.
          2. the address corresponding to this host name belongs to one of the local network interfaces on that host.

          If the above two conditions are satisfied, the bind to the socket to that address, before making rpc calls. It should address the following cases:

          1. Principal name is not of format <part1>/<part2>@realm
          2. part2 is not a valid host name
          3. part2 is a valid host name, but not that of the client host

          Does this sound reasonable?

          Show
          Suresh Srinivas added a comment - Here is a way to do that at the RPC client: get part2 from principal name of format <part1>/<part2>@realm and ensure part2 is a host name. the address corresponding to this host name belongs to one of the local network interfaces on that host. If the above two conditions are satisfied, the bind to the socket to that address, before making rpc calls. It should address the following cases: Principal name is not of format <part1>/<part2>@realm part2 is not a valid host name part2 is a valid host name, but not that of the client host Does this sound reasonable?
          Hide
          Suresh Srinivas added a comment -

          I see what you mean now. We could check if the second part is _HOST in the key and try binding to local address. Let me see if that could be done.

          Show
          Suresh Srinivas added a comment - I see what you mean now. We could check if the second part is _HOST in the key and try binding to local address. Let me see if that could be done.
          Hide
          Suresh Srinivas added a comment -

          I mean HDFS-7104 in my previous comment.

          Show
          Suresh Srinivas added a comment - I mean HDFS-7104 in my previous comment.
          Hide
          Suresh Srinivas added a comment -

          HDFS-1704 for some of the protocols such where clientPrincipal is needed, uses the second part as host name for validation. For such protocols, you cannot use a principal name that you mentioned. This does not affect protocols such as ClientProtocol though.

          Show
          Suresh Srinivas added a comment - HDFS-1704 for some of the protocols such where clientPrincipal is needed, uses the second part as host name for validation. For such protocols, you cannot use a principal name that you mentioned. This does not affect protocols such as ClientProtocol though.
          Hide
          Suresh Srinivas added a comment -

          Patch for the trunk, with minor modifications and tests.

          Show
          Suresh Srinivas added a comment - Patch for the trunk, with minor modifications and tests.
          Hide
          Todd Lipcon added a comment -

          I don't think this is quite right. It works when the IPC client is a server with a principal like hdfs/dn1.foo.com@REALM. But two-part principals are also used for other cases, eg tlipcon/admin@REALM. In this patch, won't that try to bind the local socket of my IPC client to the non-host "admin"?

          Show
          Todd Lipcon added a comment - I don't think this is quite right. It works when the IPC client is a server with a principal like hdfs/dn1.foo.com@REALM. But two-part principals are also used for other cases, eg tlipcon/admin@REALM. In this patch, won't that try to bind the local socket of my IPC client to the non-host "admin"?
          Hide
          Suresh Srinivas added a comment -

          Path for 203 release.

          Show
          Suresh Srinivas added a comment - Path for 203 release.
          Hide
          Suresh Srinivas added a comment -

          Given that the server validate's the host name of the client's connection with the host name in the client's prinicipal name of format <service>/_HOST@realm, I propose binding the client's socket to the address specified in the principal name.

          Show
          Suresh Srinivas added a comment - Given that the server validate's the host name of the client's connection with the host name in the client's prinicipal name of format <service>/_HOST@realm, I propose binding the client's socket to the address specified in the principal name.

            People

            • Assignee:
              Suresh Srinivas
              Reporter:
              Suresh Srinivas
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development