Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-9789

Support server advertised kerberos principals

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha, 3.0.0-alpha1
    • Fix Version/s: 2.1.1-beta
    • Component/s: ipc, security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      The RPC client currently constructs the kerberos principal based on the a config value, usually with an _HOST substitution. This means the service principal must match the hostname the client is using to connect. This causes problems:

      • Prevents using HA with IP failover when the servers have distinct principals from the failover hostname
      • Prevents clients from being able to access a service bound to multiple interfaces. Only the interface that matches the server's principal may be used.

      The client should be able to use the SASL advertised principal (HADOOP-9698), with appropriate safeguards, to acquire the correct service ticket.

        Attachments

        1. HADOOP-9789.2.patch
          0.9 kB
          Daryn Sharp
        2. HADOOP-9789.patch
          16 kB
          Daryn Sharp
        3. HADOOP-9789.patch
          13 kB
          Daryn Sharp
        4. hadoop-ojoshi-datanode-HW10351.local.log
          344 kB
          Omkar Vinit Joshi
        5. hadoop-ojoshi-namenode-HW10351.local.log
          194 kB
          Omkar Vinit Joshi

          Issue Links

            Activity

              People

              • Assignee:
                daryn Daryn Sharp
                Reporter:
                daryn Daryn Sharp
              • Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: