Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-4081

NamenodeProtocol and other Secure Protocols should use different config keys for serverPrincipal and clientPrincipal KerberosInfo components

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 2.0.0-alpha, 2.0.1-alpha, 2.0.2-alpha, 2.0.3-alpha
    • None
    • security
    • None

    Description

      The Namenode protocol (NamenodeProtocol.java) defines the same config key, dfs.namenode.kerberos.principal, for both ServerPrincipal and ClientPrincipal components of the KerberosInfo data structure. This overloads the meaning of the dfs.namenode.kerberos.principal config key. This key can be used to define the namenode's principal during startup, but in the client case, it is used by ServiceAuthorizationManager.authorize to create a principal name given an incoming client's ip address. If you explicitly set the principal name for the namenode in the Config using this key, it then breaks ServiceAuthorizationManager.authorize, because it expects this same value to contain a Kerberos principal name pattern NOT an explicit name.

      The solve this issue, the ServerPrincipal and ClientPrincipal components of the NamenodeProtocol should each be assigned unique Config keys.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. HDFS-2264 NamenodeProtocol has the wrong value for clientPrincipal in KerberosInfo annotation

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              ahadr Ahad Rana
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: