Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-3727

When using SPNEGO, NN should not try to log in using KSSL principal

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0, 1.1.1, 1.2.0
    • Fix Version/s: 1.1.2
    • Component/s: namenode
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      When performing a checkpoint with security enabled, the NN will attempt to relogin from its keytab before making an HTTP request back to the 2NN to fetch the newly-merged image. However, it always attempts to log in using the KSSL principal, even if SPNEGO is configured to be used.

      This issue was discovered by Stephen Chu.

      1. HDFS-3727.patch
        2 kB
        Aaron T. Myers

        Activity

        Hide
        Aaron T. Myers added a comment -

        Here's a patch which addresses the issue. Instead of logging in as the KSSL principal, we now always log in as the hdfs/ principal. This change also allows us to trim down the set of principals who may legitimately hit the GetImageServlet to only the NN and 2NN hdfs/ principals, instead of those and the NN and 2NN host/ principals.

        I missed this in my testing since I always had both the KSSL and SPNEGO principals configured in my conf, even though I was switching back and forth between using SPNEGO and KSSL. I tested this patch by ensuring that the KSSL principals were commented out when testing checkpointing with SPNEGO, and likewise that the SPNEGO principals were commented out when testing checkpointing with KSSL.

        Show
        Aaron T. Myers added a comment - Here's a patch which addresses the issue. Instead of logging in as the KSSL principal, we now always log in as the hdfs/ principal. This change also allows us to trim down the set of principals who may legitimately hit the GetImageServlet to only the NN and 2NN hdfs/ principals, instead of those and the NN and 2NN host/ principals. I missed this in my testing since I always had both the KSSL and SPNEGO principals configured in my conf, even though I was switching back and forth between using SPNEGO and KSSL. I tested this patch by ensuring that the KSSL principals were commented out when testing checkpointing with SPNEGO, and likewise that the SPNEGO principals were commented out when testing checkpointing with KSSL.
        Hide
        Todd Lipcon added a comment -

        +1 pending jenkins

        Show
        Todd Lipcon added a comment - +1 pending jenkins
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12537941/HDFS-3727.patch
        against trunk revision .

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2909//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12537941/HDFS-3727.patch against trunk revision . -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2909//console This message is automatically generated.
        Hide
        Aaron T. Myers added a comment -

        Jenkins isn't going to work since this patch is for branch-1. I'm going to go ahead and commit this based on Todd's +1.

        Show
        Aaron T. Myers added a comment - Jenkins isn't going to work since this patch is for branch-1. I'm going to go ahead and commit this based on Todd's +1.
        Hide
        Aaron T. Myers added a comment -

        I've just committed this to branch-1. Thanks a lot for the review, Todd.

        Show
        Aaron T. Myers added a comment - I've just committed this to branch-1. Thanks a lot for the review, Todd.
        Hide
        Arpit Gupta added a comment -

        Can we commit this to branch 1.1 so that the next release can pull it in.

        Also a couple of unused imports got left in the class after this patch.

        Show
        Arpit Gupta added a comment - Can we commit this to branch 1.1 so that the next release can pull it in. Also a couple of unused imports got left in the class after this patch.
        Hide
        Suresh Srinivas added a comment -

        I committed the patch to branch-1.1/

        Show
        Suresh Srinivas added a comment - I committed the patch to branch-1.1/
        Hide
        Matt Foley added a comment -

        Closed upon successful release of 1.1.2.

        Show
        Matt Foley added a comment - Closed upon successful release of 1.1.2.

          People

          • Assignee:
            Aaron T. Myers
            Reporter:
            Aaron T. Myers
          • Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development