Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-4105

the SPNEGO user for secondary namenode should use the web keytab

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0, 2.0.2-alpha
    • Fix Version/s: 1.1.1, 2.0.3-alpha
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      This is similar to HDFS-3466 where we made sure the namenode checks for the web keytab before it uses the namenode keytab.

      The same needs to be done for secondary namenode as well.

      String httpKeytab = 
                    conf.get(DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY);
                  if (httpKeytab != null && !httpKeytab.isEmpty()) {
                    params.put("kerberos.keytab", httpKeytab);
                  }
      
      1. HDFS-4105.branch-1.patch
        1 kB
        Arpit Gupta
      2. HDFS-4105.patch
        1 kB
        Arpit Gupta

        Issue Links

          Activity

          Hide
          Arpit Gupta added a comment -

          patch for branch-1

          Show
          Arpit Gupta added a comment - patch for branch-1
          Hide
          Arpit Gupta added a comment -

          patch for trunk.

          Show
          Arpit Gupta added a comment - patch for trunk.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12550378/HDFS-4105.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/3384//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/3384//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12550378/HDFS-4105.patch against trunk revision . +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/3384//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/3384//console This message is automatically generated.
          Hide
          Arpit Gupta added a comment -

          no tests are added as changes are related to secure setup.

          here is the test patch output for branch-1

          [exec] BUILD SUCCESSFUL
               [exec] Total time: 5 minutes 0 seconds
               [exec] 
               [exec] 
               [exec] 
               [exec] 
               [exec] -1 overall.  
               [exec] 
               [exec]     +1 @author.  The patch does not contain any @author tags.
               [exec] 
               [exec]     -1 tests included.  The patch doesn't appear to include any new or modified tests.
               [exec]                         Please justify why no tests are needed for this patch.
               [exec] 
               [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
               [exec] 
               [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
               [exec] 
               [exec]     -1 findbugs.  The patch appears to introduce 9 new Findbugs (version 1.3.9) warnings.
          

          Findbugs warnings are not related to this patch.

          Show
          Arpit Gupta added a comment - no tests are added as changes are related to secure setup. here is the test patch output for branch-1 [exec] BUILD SUCCESSFUL [exec] Total time: 5 minutes 0 seconds [exec] [exec] [exec] [exec] [exec] -1 overall. [exec] [exec] +1 @author. The patch does not contain any @author tags. [exec] [exec] -1 tests included. The patch doesn't appear to include any new or modified tests. [exec] Please justify why no tests are needed for this patch. [exec] [exec] +1 javadoc. The javadoc tool did not generate any warning messages. [exec] [exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings. [exec] [exec] -1 findbugs. The patch appears to introduce 9 new Findbugs (version 1.3.9) warnings. Findbugs warnings are not related to this patch.
          Hide
          Arpit Gupta added a comment -

          patched a secure hadoop 1.1.0 deploy with the patch and now the secondary namenode is able to log in.

          Question if the HTTP principal fails to login should we not stop the secondary namenode server? I think we should do that as the image calls would fail without the if the HTTP principal was not available. Let me know and i can log a different jira for it.

          Show
          Arpit Gupta added a comment - patched a secure hadoop 1.1.0 deploy with the patch and now the secondary namenode is able to log in. Question if the HTTP principal fails to login should we not stop the secondary namenode server? I think we should do that as the image calls would fail without the if the HTTP principal was not available. Let me know and i can log a different jira for it.
          Hide
          Jitendra Nath Pandey added a comment -

          +1

          Show
          Jitendra Nath Pandey added a comment - +1
          Hide
          Hudson added a comment -

          Integrated in Hadoop-trunk-Commit #3036 (See https://builds.apache.org/job/Hadoop-trunk-Commit/3036/)
          HDFS-4105. The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691)

          Result = SUCCESS
          jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691
          Files :

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Show
          Hudson added a comment - Integrated in Hadoop-trunk-Commit #3036 (See https://builds.apache.org/job/Hadoop-trunk-Commit/3036/ ) HDFS-4105 . The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691) Result = SUCCESS jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Hide
          Jitendra Nath Pandey added a comment -

          Committed to trunk, branch-2, branch-1 and branch-1.1. Thanks to Arpit.

          Show
          Jitendra Nath Pandey added a comment - Committed to trunk, branch-2, branch-1 and branch-1.1. Thanks to Arpit.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Yarn-trunk #39 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/39/)
          HDFS-4105. The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691)

          Result = SUCCESS
          jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691
          Files :

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Show
          Hudson added a comment - Integrated in Hadoop-Yarn-trunk #39 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/39/ ) HDFS-4105 . The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691) Result = SUCCESS jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk #1229 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1229/)
          HDFS-4105. The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691)

          Result = SUCCESS
          jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691
          Files :

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1229 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1229/ ) HDFS-4105 . The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691) Result = SUCCESS jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk #1260 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1260/)
          HDFS-4105. The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691)

          Result = FAILURE
          jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691
          Files :

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1260 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1260/ ) HDFS-4105 . The SPNEGO user for secondary namenode should use the web keytab. Contributed by Arpit Gupta. (Revision 1410691) Result = FAILURE jitendra : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1410691 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
          Hide
          Matt Foley added a comment -

          Closed upon release of 1.1.1.

          Show
          Matt Foley added a comment - Closed upon release of 1.1.1.

            People

            • Assignee:
              Arpit Gupta
              Reporter:
              Arpit Gupta
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development