Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-3905

Secure cluster cannot use hftp to an insecure cluster

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 0.23.3
    • Fix Version/s: 0.23.5
    • Component/s: hdfs-client, security
    • Labels:
      None

      Description

      HDFS-3873 fixed the case where all exceptions acquiring tokens for hftp were ignored. Jobs would be submitted sans tokens, and then the tasks would eventually all fail trying to get the missing token. HDFS-3873 made jobs fail to submit if the remote cluster is secure.

      Unfortunately it regressed the ability for a secure cluster to access an insecure cluster over hftp. The issue is unique to 23 due to KSSL.

        Issue Links

          Activity

          Hide
          Daryn Sharp added a comment -

          Try to acquire the service ticket. If it fails, save the exception. Try to connect to the secure port anyway since the cluster might be insecure. If the connect fails, throw it since it's insecure. If the connect succeeds but fails to negotiate, throw the exception acquiring the TGS if one occurred.

          Show
          Daryn Sharp added a comment - Try to acquire the service ticket. If it fails, save the exception. Try to connect to the secure port anyway since the cluster might be insecure. If the connect fails, throw it since it's insecure. If the connect succeeds but fails to negotiate, throw the exception acquiring the TGS if one occurred.
          Hide
          Daryn Sharp added a comment -

          Note this patch is branch-23 specific. The pre-commit will fail.

          Show
          Daryn Sharp added a comment - Note this patch is branch-23 specific. The pre-commit will fail.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12544294/HDFS-3905.patch
          against trunk revision .

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/3159//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12544294/HDFS-3905.patch against trunk revision . -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/3159//console This message is automatically generated.
          Hide
          Kihwal Lee added a comment -

          It looks good to me.

          Show
          Kihwal Lee added a comment - It looks good to me.
          Hide
          Thomas Graves added a comment -

          +1. Looks good. I verified this fixes the TestHftpDelegationToken on 0.23. Thanks Daryn!

          Show
          Thomas Graves added a comment - +1. Looks good. I verified this fixes the TestHftpDelegationToken on 0.23. Thanks Daryn!
          Hide
          Thomas Graves added a comment -

          fix only applies to 0.23 branch.

          Show
          Thomas Graves added a comment - fix only applies to 0.23 branch.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-0.23-Build #394 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/394/)
          HDFS-3905. Secure cluster cannot use hftp to an insecure cluster (Daryn Sharp via tgraves) (Revision 1393699)

          Result = SUCCESS
          tgraves : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1393699
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-0.23-Build #394 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/394/ ) HDFS-3905 . Secure cluster cannot use hftp to an insecure cluster (Daryn Sharp via tgraves) (Revision 1393699) Result = SUCCESS tgraves : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1393699 Files : /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java
          Hide
          Suresh Srinivas added a comment -

          Is this change not needed for trunk and branch-2?

          Show
          Suresh Srinivas added a comment - Is this change not needed for trunk and branch-2?
          Hide
          Daryn Sharp added a comment -

          I don't think so. The issue is specific to KSSL, which I don't think trunk/branch-2 supports?

          Show
          Daryn Sharp added a comment - I don't think so. The issue is specific to KSSL, which I don't think trunk/branch-2 supports?
          Hide
          Suresh Srinivas added a comment -

          Thanks Daryn.

          Show
          Suresh Srinivas added a comment - Thanks Daryn.

            People

            • Assignee:
              Daryn Sharp
              Reporter:
              Daryn Sharp
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development