Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.3.5, 3.3.6
-
None
Description
- In a Kerberos environment, the namenode cannot fetch editlog from journalnode because the request is rejected (403).
- GetJournalEditServlet checks if the request's username meets the requirements through the isValidRequestor function. After
HDFS-16686is merged, remotePrincipal becomes ugi.getUserName(). - In a Kerberos environment, ugi.getUserName() gets the request.getRemoteUser() via DfsServlet's getUGI to get the username, and this username is not a full name.
- Therefore, the obtained username is similar to namenode01 instead of namenode01/host01@REALM.TLD, which meansit fails to pass the isValidRequestor check.
reproduction
- In the TestGetJournalEditServlet add testSecurityRequestNameNode
@Test public void testSecurityRequestNameNode() throws IOException, ServletException { // Test: Make a request from a namenode CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos"); UserGroupInformation.setConfiguration(CONF); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getParameter(UserParam.NAME)).thenReturn("nn/localhost@REALM.TLD"); when(request.getRemoteUser()).thenReturn("jn"); boolean isValid = SERVLET.isValidRequestor(request, CONF); assertThat(isValid).isTrue(); }
Attachments
Attachments
Issue Links
- links to