Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
3.1.1
-
None
-
None
Description
Let me explain the environment for a description.
KDC(TEST1.COM) <-- Cross-realm trust --> KDC(TEST2.COM) | | NameNode1 NameNode2 | | ---------- DataNodes (federated) ----------
We configured the secure clusters and federated them.
- Principal
- NameNode1 : nn/_HOST@TEST1.COM
- NameNode2 : nn/_HOST@TEST2.COM
- DataNodes : dn/_HOST@TEST2.COM
But DataNodes could not connect to NameNode1 with below error.
WARN SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization failed for dn/hadoop-datanode.test.com@TEST2.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol: this service is only accessible by dn/hadoop-datanode.test.com@TEST1.COM
We have avoided the error with attached patch.
The patch checks only using username and hostname except realm.
I think there is no problem. Because if realms are different and no cross-realm setting, they cannot communication each other. If you are worried about this, please let me know.
In the long run, it would be better if I could set multiple realms for authorize. Like this;
<property> <name>dfs.namenode.kerberos.trust-realms</name> <value>TEST1.COM,TEST2.COM</value> </property>