[HADOOP-9789] Support server advertised kerberos principals - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0.0-alpha, 3.0.0-alpha1
Fix Version/s: 2.1.1-beta
Component/s: ipc, security
Labels:
None

Target Version/s:

2.1.1-beta
Hadoop Flags:

Reviewed

Description

The RPC client currently constructs the kerberos principal based on the a config value, usually with an _HOST substitution. This means the service principal must match the hostname the client is using to connect. This causes problems:

Prevents using HA with IP failover when the servers have distinct principals from the failover hostname
Prevents clients from being able to access a service bound to multiple interfaces. Only the interface that matches the server's principal may be used.

The client should be able to use the SASL advertised principal (~~HADOOP-9698~~), with appropriate safeguards, to acquire the correct service ticket.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-9789.2.patch
13/Aug/13 00:12
0.9 kB
Daryn Sharp
HADOOP-9789.patch
31/Jul/13 15:07
16 kB
Daryn Sharp
HADOOP-9789.patch
29/Jul/13 22:06
13 kB
Daryn Sharp
hadoop-ojoshi-datanode-HW10351.local.log
12/Aug/13 21:20
344 kB
Omkar Vinit Joshi
hadoop-ojoshi-namenode-HW10351.local.log
12/Aug/13 21:20
194 kB
Omkar Vinit Joshi

Issue Links

is related to

HDFS-7546 Document, and set an accepting default for dfs.namenode.kerberos.principal.pattern

Closed

HADOOP-12549 Extend HDFS-7456 default generically to all pattern lookups

Patch Available

Activity

People

Assignee:: Daryn Sharp

Reporter:: Daryn Sharp

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 29/Jul/13 21:55

Updated:: 12/May/16 18:27

Resolved:: 13/Aug/13 13:44