Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-17276

The nn fetch editlog forbidden in kerberos environment

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.3.5, 3.3.6
    • None
    • qjm, security

    Description

      • In a Kerberos environment, the namenode cannot fetch editlog from journalnode because the request is rejected (403).
      • GetJournalEditServlet checks if the request's username meets the requirements through the isValidRequestor function. After HDFS-16686 is merged, remotePrincipal becomes ugi.getUserName().
      • In a Kerberos environment, ugi.getUserName() gets the request.getRemoteUser() via DfsServlet's getUGI to get the username, and this username is not a full name.
      • Therefore, the obtained username is similar to namenode01 instead of namenode01/host01@REALM.TLD, which meansit fails to pass the isValidRequestor check.

      reproduction

      • In the TestGetJournalEditServlet add testSecurityRequestNameNode
      @Test
      public void testSecurityRequestNameNode() throws IOException, ServletException {
        // Test: Make a request from a namenode
        CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
        UserGroupInformation.setConfiguration(CONF);
        
        HttpServletRequest request = mock(HttpServletRequest.class);
          when(request.getParameter(UserParam.NAME)).thenReturn("nn/localhost@REALM.TLD");
        when(request.getRemoteUser()).thenReturn("jn");
        boolean isValid = SERVLET.isValidRequestor(request, CONF);
        
        assertThat(isValid).isTrue();
      } 

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              kuper kuper
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: