Patch for trunk. Exactly the same as the 20 patch, which we've tested manually extensively here. This code is buried quite deep in the guts of the secondary namenode; I think a new unit test isn't feasible here, without a serious, potentially destabilizing refactor. I'd like to go ahead without one.
This issue occurs, and prevents the 2ndNN from functioning correctly, when a machine is running on a secure cluster and using IP aliasing to run as a different host than is returned from getLocalHost. The NN will attempt to connect to the local host (say 192.168.0.1) rather than the alias (say secure-2nn), and this will fail the Kerberized SSL authentication and prevent the merged image from being downloaded.