Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-14375

DataNode cannot serve BlockPool to multiple NameNodes in the different realm

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Let me explain the environment for a description.

      KDC(TEST1.COM) <-- Cross-realm trust -->  KDC(TEST2.COM)
         |                                         |
      NameNode1                                 NameNode2
         |                                         |
         ---------- DataNodes (federated) ----------
      

      We configured the secure clusters and federated them.

      • Principal
        • NameNode1 : nn/_HOST@TEST1.COM
        • NameNode2 : nn/_HOST@TEST2.COM
        • DataNodes : dn/_HOST@TEST2.COM

      But DataNodes could not connect to NameNode1 with below error.

      WARN SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization failed for dn/hadoop-datanode.test.com@TEST2.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol: this service is only accessible by dn/hadoop-datanode.test.com@TEST1.COM
      

      We have avoided the error with attached patch.
      The patch checks only using username and hostname except realm.
      I think there is no problem. Because if realms are different and no cross-realm setting, they cannot communication each other. If you are worried about this, please let me know.

      In the long run, it would be better if I could set multiple realms for authorize. Like this;

      <property>
        <name>dfs.namenode.kerberos.trust-realms</name>
        <value>TEST1.COM,TEST2.COM</value>
      </property>
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Jihyun Cho Jihyun Cho
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: