Minor Description
I have two secure hadoop cluster. Both cluster use cross-realm authentication.
user_a@A.COM
can access to HDFS of B.COM realm
by the way, hadoop username of user_a@A.COM in B.COM realm is cross_realm_a_com_user_a.
hdfs dfs command of user_a@A.COM using B.COM webhdfs failed.
root cause is webhdfs that connect secure hdfs use user.name parameter.
according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs use SPNEGO for authentication.
I think webhdfs that connect secure hdfs should not use user.name parameter.
I will attach patch.
below is error log
$ hdfs dfs -ls webhdfs://b.com:50070/
ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_user_a
# user.name in cross realm webhdfs
$ curl -u : --negotiate 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a'
{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=user_a != expected=cross_realm_a_com_user_a"}}
# USE SPNEGO
$ curl -u : --negotiate 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'
{"Token"{"urlString":"XgA....."}}