Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 2.2.0
    • Fix Version/s: 2.4.0
    • Component/s: nfs
    • Labels:
      None
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      Fixes NFS on Kerberized cluster.

      Description

      When using HDFS nfs gateway with secure hadoop (hadoop.security.authentication: kerberos), mounting hdfs fails.
      Additionally, there is no mechanism to support proxy user(nfs needs to proxy as the user invoking commands on the hdfs mount).

      Steps to reproduce:
      1) start a hadoop cluster with kerberos enabled.
      2) sudo su -l nfsserver and start an nfs server. This 'nfsserver' account has a an account in kerberos.
      3) Get the keytab for nfsserver, and issue the following mount command: mount -t nfs -o vers=3,proto=tcp,nolock $server:/ $mount_point
      4) You'll see in the nfsserver logs that Kerberos is complaining about not having a TGT for root.
      This is the stacktrace:
      java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "my-nfs-server-host.com/10.252.4.197"; destination host is: "my-namenode-host.com":8020;
      at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:764)
      at org.apache.hadoop.ipc.Client.call(Client.java:1351)
      at org.apache.hadoop.ipc.Client.call(Client.java:1300)
      at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:206)
      at com.sun.proxy.$Proxy9.getFileLinkInfo(Unknown Source)
      at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:186)
      at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)
      at com.sun.proxy.$Proxy9.getFileLinkInfo(Unknown Source)
      at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileLinkInfo(ClientNamenodeProtocolTranslatorPB.java:664)
      at org.apache.hadoop.hdfs.DFSClient.getFileLinkInfo(DFSClient.java:1713)
      at org.apache.hadoop.hdfs.nfs.nfs3.Nfs3Utils.getFileStatus(Nfs3Utils.java:58)
      at org.apache.hadoop.hdfs.nfs.nfs3.Nfs3Utils.getFileAttr(Nfs3Utils.java:79)
      at org.apache.hadoop.hdfs.nfs.nfs3.RpcProgramNfs3.fsinfo(RpcProgramNfs3.java:1643)
      at org.apache.hadoop.hdfs.nfs.nfs3.RpcProgramNfs3.handleInternal(RpcProgramNfs3.java:1891)
      at org.apache.hadoop.oncrpc.RpcProgram.messageReceived(RpcProgram.java:143)
      at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
      at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787)
      at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:281)
      at org.apache.hadoop.oncrpc.RpcUtil$RpcMessageParserStage.messageReceived(RpcUtil.java:132)
      at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
      at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787)
      at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
      at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
      at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
      at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
      at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560)
      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:555)
      at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
      at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
      at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
      at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:107)
      at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:312)
      at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:88)
      at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
      at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
      at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:744)
      Caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
      at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:620)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:415)
      at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
      at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:583)
      at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:667)
      at org.apache.hadoop.ipc.Client$Connection.access$2600(Client.java:314)
      at org.apache.hadoop.ipc.Client.getConnection(Client.java:1399)
      at org.apache.hadoop.ipc.Client.call(Client.java:1318)
      ... 43 more
      Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
      at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:170)
      at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:387)
      at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:494)
      at org.apache.hadoop.ipc.Client$Connection.access$1700(Client.java:314)
      at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:659)
      at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:655)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:415)
      at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
      at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:654)

      1. HDFS-5804-documentation.patch
        2 kB
        Abin Shahab
      2. HDFS-5804.patch
        9 kB
        Abin Shahab
      3. HDFS-5804.patch
        10 kB
        Abin Shahab
      4. HDFS-5804.patch
        10 kB
        Abin Shahab
      5. HDFS-5804.patch
        7 kB
        Abin Shahab
      6. HDFS-5804.patch
        8 kB
        Abin Shahab
      7. exception-as-root.log
        179 kB
        Abin Shahab
      8. HDFS-5804.patch
        8 kB
        Abin Shahab
      9. javadoc-before-patch.log
        1.64 MB
        Abin Shahab
      10. javadoc-after-patch.log
        1.63 MB
        Abin Shahab
      11. HDFS-5804.patch
        9 kB
        Abin Shahab

        Issue Links

          Activity

          Hide
          Brandon Li added a comment -

          Abin Shahab, HDFS-5539 is filed to track the security enhancement. Currently NFS gateway can't work with secure cluster. I'm moving this JIRA under HDFS-5539 to track the effort.

          Show
          Brandon Li added a comment - Abin Shahab , HDFS-5539 is filed to track the security enhancement. Currently NFS gateway can't work with secure cluster. I'm moving this JIRA under HDFS-5539 to track the effort.
          Hide
          Abin Shahab added a comment -

          This patch resolves the above-mentioned root-mounting problem.
          However, it has to explicitly check for root. This is because, the nfs client mounts as root, and right after, it does a getFileAttr call on hdfs '/'. With kerberos on the root user does not have access to do this. If someone can advise on a way to avoid this root check, it would be great.

          Show
          Abin Shahab added a comment - This patch resolves the above-mentioned root-mounting problem. However, it has to explicitly check for root. This is because, the nfs client mounts as root, and right after, it does a getFileAttr call on hdfs '/'. With kerberos on the root user does not have access to do this. If someone can advise on a way to avoid this root check, it would be great.
          Hide
          Abin Shahab added a comment -

          This is patched against trunk.

          Show
          Abin Shahab added a comment - This is patched against trunk.
          Hide
          Abin Shahab added a comment -

          Patch emits some javadoc warnings, but there are no differences between the javadoc output of the version with the patch and version without the patch.

          Show
          Abin Shahab added a comment - Patch emits some javadoc warnings, but there are no differences between the javadoc output of the version with the patch and version without the patch.
          Hide
          Abin Shahab added a comment -

          The before and after logs of the call: mvn clean test javadoc:javadoc -DskipTests -Pdocs

          Show
          Abin Shahab added a comment - The before and after logs of the call: mvn clean test javadoc:javadoc -DskipTests -Pdocs
          Hide
          Daryn Sharp added a comment -

          I'm unfamiliar with the nfs code to level set these comments. My initial feeling is that the conditional logic is less than desirable.

          Relative to the provided patch, I think there's a clean way to avoid the explicit root check. The check seems circumspect as in there shouldn't be a pre-condition that the fuse daemon run as "root". My basic understanding is that fuse runs as root to access user ticket caches. However, there's no reason I couldn't map a different username to uid 0, allow a non-privileged user to access the ticket caches based on group perms, use SELinux capabilities to grant a fsuid of root to the fuse daemon, etc.

          Anyway, back to the patch. A better way may be to check the given username against the current user. Create a proxy user if they are different, else return the current user. No isSecurityEnabled or root comparison needed. Or better yet, just always create a proxy user. A proxy will work with or w/o security, and proxy of the same user also/should work.

          I'm unclear how this patch solves the issue of root cannot stat /. A proxy is only being created if the user isn't root so how does this fix the issue?

          Show
          Daryn Sharp added a comment - I'm unfamiliar with the nfs code to level set these comments. My initial feeling is that the conditional logic is less than desirable. Relative to the provided patch, I think there's a clean way to avoid the explicit root check. The check seems circumspect as in there shouldn't be a pre-condition that the fuse daemon run as "root". My basic understanding is that fuse runs as root to access user ticket caches. However, there's no reason I couldn't map a different username to uid 0, allow a non-privileged user to access the ticket caches based on group perms, use SELinux capabilities to grant a fsuid of root to the fuse daemon, etc. Anyway, back to the patch. A better way may be to check the given username against the current user. Create a proxy user if they are different, else return the current user. No isSecurityEnabled or root comparison needed. Or better yet, just always create a proxy user. A proxy will work with or w/o security, and proxy of the same user also/should work. I'm unclear how this patch solves the issue of root cannot stat /. A proxy is only being created if the user isn't root so how does this fix the issue?
          Hide
          Abin Shahab added a comment -

          Updated patch does not have special case on root.
          Tested with nfs-gateway running as a non-root kerberized user.

          Show
          Abin Shahab added a comment - Updated patch does not have special case on root. Tested with nfs-gateway running as a non-root kerberized user.
          Hide
          Abin Shahab added a comment -

          This is the exception I get now.
          ROOT is doing the mount of nfs.
          As part of the mount, it issues an FSINFO call, which fails, and it fails the mount.

          I propose we catch and log the Access control exception for this failure, but not necessary fail the mount.

          Show
          Abin Shahab added a comment - This is the exception I get now. ROOT is doing the mount of nfs. As part of the mount, it issues an FSINFO call, which fails, and it fails the mount. I propose we catch and log the Access control exception for this failure, but not necessary fail the mount.
          Hide
          Jing Zhao added a comment -

          So I guess that idea here is that the nfs gateway acts a service, and authenticates itself through Kerberos to Hadoop/HDFS. Then for the clients of nfs, if a client can authenticate itself in the NFS gateway (currently we only support AUTH_UNIX, and we plan to support GSS in HDFS-5539), the nfs gateway will create a proxy user for the client and use the proxy user to communicate with HDFS.

          Back to the exception, I have not tested myself, but have you add the proxy user setting in your HDFS's configuration? Because I saw the exception msg is "User: nfsserver/krb-nfs-desktop.my.company.com@KRB.ALTISCALE.COM is not allowed to impersonate root".

          Show
          Jing Zhao added a comment - So I guess that idea here is that the nfs gateway acts a service, and authenticates itself through Kerberos to Hadoop/HDFS. Then for the clients of nfs, if a client can authenticate itself in the NFS gateway (currently we only support AUTH_UNIX, and we plan to support GSS in HDFS-5539 ), the nfs gateway will create a proxy user for the client and use the proxy user to communicate with HDFS. Back to the exception, I have not tested myself, but have you add the proxy user setting in your HDFS's configuration? Because I saw the exception msg is "User: nfsserver/krb-nfs-desktop.my.company.com@KRB.ALTISCALE.COM is not allowed to impersonate root".
          Hide
          Abin Shahab added a comment -

          Jing, Thanks a lot for looking at the issue. I think you've captured what I'm trying to do very well! Thanks for that.

          Yes. We specifically do not want nfsserver(the user running the nfs-gateway) to be able to impersonate root. We need root for one thing, and only one thing: to mount the filesystem. After that, root is irrelevant, and should not have any access to do anything. Regretably, it does an FSINFO as part of the mount.

          Show
          Abin Shahab added a comment - Jing, Thanks a lot for looking at the issue. I think you've captured what I'm trying to do very well! Thanks for that. Yes. We specifically do not want nfsserver(the user running the nfs-gateway) to be able to impersonate root. We need root for one thing, and only one thing: to mount the filesystem. After that, root is irrelevant, and should not have any access to do anything. Regretably, it does an FSINFO as part of the mount.
          Hide
          Jing Zhao added a comment -

          Abin, I see your issue now. So from the nfs-gateway point of view, I think it should just simply impersonate any user who has passed its own authentication, thus should not have special case on root. In HDFS, why do you want to disable the proxy setting for root? HDFS does not respect root as a special user.

          Show
          Jing Zhao added a comment - Abin, I see your issue now. So from the nfs-gateway point of view, I think it should just simply impersonate any user who has passed its own authentication, thus should not have special case on root. In HDFS, why do you want to disable the proxy setting for root? HDFS does not respect root as a special user.
          Hide
          Abin Shahab added a comment -

          Ah! I see your point. I think I can allow nfsserver to proxy root, and that'd allow this patch to work properly(I've removed the root check condition).

          BTW, this still allows any user in the proxied group to authenticate WITHOUT having a kerberos ticket. Do you have any advice on implementing the kerberos authentication on the nfs-gateway? We are kerberizing our clusters, and seems like nfs is allowing them to circumvent kerberos authentication.

          Show
          Abin Shahab added a comment - Ah! I see your point. I think I can allow nfsserver to proxy root, and that'd allow this patch to work properly(I've removed the root check condition). BTW, this still allows any user in the proxied group to authenticate WITHOUT having a kerberos ticket. Do you have any advice on implementing the kerberos authentication on the nfs-gateway? We are kerberizing our clusters, and seems like nfs is allowing them to circumvent kerberos authentication.
          Hide
          Jing Zhao added a comment -

          this still allows any user in the proxied group to authenticate WITHOUT having a kerberos ticket.

          Yeah, currently nfs-gateway can only do simple AUTH_UNIX authentication, thus we need to finish HDFS-5086 so that nfs-gateway can authenticate clients based on kerberos. I have an in-progress patch long time ago, I will see if I can finish it recently. Also feel free to assign that jira to yourself if you want to work on it.

          Show
          Jing Zhao added a comment - this still allows any user in the proxied group to authenticate WITHOUT having a kerberos ticket. Yeah, currently nfs-gateway can only do simple AUTH_UNIX authentication, thus we need to finish HDFS-5086 so that nfs-gateway can authenticate clients based on kerberos. I have an in-progress patch long time ago, I will see if I can finish it recently. Also feel free to assign that jira to yourself if you want to work on it.
          Hide
          Abin Shahab added a comment -

          May I take a look at your patch? I was planning to mimic how org.apache.hadoop.ipc.Client does the authentication.
          Also, I don't have access to assign issues to myself. I would definitely like to assign this one to me.

          Show
          Abin Shahab added a comment - May I take a look at your patch? I was planning to mimic how org.apache.hadoop.ipc.Client does the authentication. Also, I don't have access to assign issues to myself. I would definitely like to assign this one to me.
          Hide
          Jing Zhao added a comment -

          Sure, I will post what I have to HDFS-5086. In general, I was just trying to merge the GSS authentication part from Brock Noland's NFS4 implementation (https://github.com/cloudera/hdfs-nfs-proxy) into the current NFS3-based implementation. You can directly check Brock Noland's implementation also.

          Show
          Jing Zhao added a comment - Sure, I will post what I have to HDFS-5086 . In general, I was just trying to merge the GSS authentication part from Brock Noland 's NFS4 implementation ( https://github.com/cloudera/hdfs-nfs-proxy ) into the current NFS3-based implementation. You can directly check Brock Noland 's implementation also.
          Hide
          Abin Shahab added a comment -

          BTW, I have a patch that gets rid off even checking whether we are in secure mode, but I'm not sure if it's the right thing to submit that patch. That patch would require the nfs-gateway user(nfsserver in our case) be allowed to proxy root, even in non-secure mode. That's a big change.

          Show
          Abin Shahab added a comment - BTW, I have a patch that gets rid off even checking whether we are in secure mode, but I'm not sure if it's the right thing to submit that patch. That patch would require the nfs-gateway user(nfsserver in our case) be allowed to proxy root, even in non-secure mode. That's a big change.
          Hide
          Abin Shahab added a comment -

          Updated documentation and param names

          Show
          Abin Shahab added a comment - Updated documentation and param names
          Hide
          Abin Shahab added a comment -

          Jing, let me know if you have any feedback on my patch.

          Show
          Abin Shahab added a comment - Jing, let me know if you have any feedback on my patch.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12625100/HDFS-5804.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5940//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5940//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12625100/HDFS-5804.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5940//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5940//console This message is automatically generated.
          Hide
          Daryn Sharp added a comment -

          BTW, I have a patch that gets rid off even checking whether we are in secure mode, but I'm not sure if it's the right thing to submit that patch. That patch would require the nfs-gateway user(nfsserver in our case) be allowed to proxy root, even in non-secure mode. That's a big change.

          I think it's the right thing to do and it's not large. We ideally need to move away from all the isSecurityEnabled checks. They introduce additional code paths that lack coverage and sufficient testing.

          When you create a proxy user, it's not conferring the privileges of the real user (ex. root/nfsserver) to the effective user. The real user is simply used to authenticate the connection on behalf of the effective user. After that all permission checking uses the effective user.

          Even with security off, I'm pretty sure proxy users need to be configured for components like oozie to work.

          Show
          Daryn Sharp added a comment - BTW, I have a patch that gets rid off even checking whether we are in secure mode, but I'm not sure if it's the right thing to submit that patch. That patch would require the nfs-gateway user(nfsserver in our case) be allowed to proxy root, even in non-secure mode. That's a big change. I think it's the right thing to do and it's not large. We ideally need to move away from all the isSecurityEnabled checks. They introduce additional code paths that lack coverage and sufficient testing. When you create a proxy user, it's not conferring the privileges of the real user (ex. root/nfsserver) to the effective user. The real user is simply used to authenticate the connection on behalf of the effective user. After that all permission checking uses the effective user. Even with security off, I'm pretty sure proxy users need to be configured for components like oozie to work.
          Hide
          Abin Shahab added a comment -

          This removes the isSecurityEnabled check.

          Show
          Abin Shahab added a comment - This removes the isSecurityEnabled check.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12625470/HDFS-5804.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs:

          org.apache.hadoop.hdfs.nfs.nfs3.TestWrites
          org.apache.hadoop.hdfs.nfs.TestReaddir

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5956//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5956//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12625470/HDFS-5804.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs: org.apache.hadoop.hdfs.nfs.nfs3.TestWrites org.apache.hadoop.hdfs.nfs.TestReaddir +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5956//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5956//console This message is automatically generated.
          Hide
          Abin Shahab added a comment -

          Test fix

          Show
          Abin Shahab added a comment - Test fix
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12625518/HDFS-5804.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5959//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5959//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12625518/HDFS-5804.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 3 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5959//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5959//console This message is automatically generated.
          Hide
          Daryn Sharp added a comment -

          Are the other isSecurityEnabled checks still required?

          Show
          Daryn Sharp added a comment - Are the other isSecurityEnabled checks still required?
          Hide
          Abin Shahab added a comment -

          Removed all the security checks.

          Show
          Abin Shahab added a comment - Removed all the security checks.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12625663/HDFS-5804.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          -1 javadoc. The javadoc tool appears to have generated -14 warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          -1 release audit. The applied patch generated 1 release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5963//testReport/
          Release audit warnings: https://builds.apache.org/job/PreCommit-HDFS-Build/5963//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
          Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5963//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12625663/HDFS-5804.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 3 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. -1 javadoc . The javadoc tool appears to have generated -14 warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. -1 release audit . The applied patch generated 1 release audit warnings. +1 core tests . The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5963//testReport/ Release audit warnings: https://builds.apache.org/job/PreCommit-HDFS-Build/5963//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5963//console This message is automatically generated.
          Hide
          Daryn Sharp added a comment -

          Looks good! Just fix the javadoc and audit warnings.

          Show
          Daryn Sharp added a comment - Looks good! Just fix the javadoc and audit warnings.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12625685/HDFS-5804.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5966//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5966//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12625685/HDFS-5804.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 3 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs-nfs. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/5966//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/5966//console This message is automatically generated.
          Hide
          Abin Shahab added a comment -

          Hi Daryn,
          Would you be able to merge the patch?

          Show
          Abin Shahab added a comment - Hi Daryn, Would you be able to merge the patch?
          Hide
          Jing Zhao added a comment -

          +1 for the latest patch. I will commit it shortly.

          Show
          Jing Zhao added a comment - +1 for the latest patch. I will commit it shortly.
          Hide
          Hudson added a comment -

          SUCCESS: Integrated in Hadoop-trunk-Commit #5087 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5087/)
          HDFS-5804. HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Show
          Hudson added a comment - SUCCESS: Integrated in Hadoop-trunk-Commit #5087 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5087/ ) HDFS-5804 . HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Hide
          Jing Zhao added a comment -

          I've committed this to trunk and branch-2. Thanks for the contribution, Abin!

          Show
          Jing Zhao added a comment - I've committed this to trunk and branch-2. Thanks for the contribution, Abin!
          Hide
          Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk #468 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/468/)
          HDFS-5804. HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Show
          Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk #468 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/468/ ) HDFS-5804 . HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Hide
          Hudson added a comment -

          FAILURE: Integrated in Hadoop-Mapreduce-trunk #1685 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1685/)
          HDFS-5804. HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Show
          Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk #1685 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1685/ ) HDFS-5804 . HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Hide
          Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Hdfs-trunk #1660 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1660/)
          HDFS-5804. HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Show
          Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk #1660 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1660/ ) HDFS-5804 . HDFS NFS Gateway fails to mount and proxy when using Kerberos. Contributed by Abin Shahab. (jing9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1563323 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/TestReaddir.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestWrites.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          Hide
          Aaron T. Myers added a comment -

          Hey folks, sorry I'm coming into this late. Two quick questions:

          1. Unless I'm missing something, shouldn't the NFS gateway be logging in via a keytab so that it actually has Kerberos credentials to authenticate to the secure cluster? Or, more generally, how is the NFS gateway supposed to get credentials to authenticate to the secure cluster?
          2. After this patch, it seems that we now must configure the NFS gateway user as a proxy user on the cluster regardless of whether or not we're using Kerberos. If that's correct, I think we should have updated the HdfsNfsGateway.apt.vm Configuration section of the docs to explicitly say this.
          Show
          Aaron T. Myers added a comment - Hey folks, sorry I'm coming into this late. Two quick questions: Unless I'm missing something, shouldn't the NFS gateway be logging in via a keytab so that it actually has Kerberos credentials to authenticate to the secure cluster? Or, more generally, how is the NFS gateway supposed to get credentials to authenticate to the secure cluster? After this patch, it seems that we now must configure the NFS gateway user as a proxy user on the cluster regardless of whether or not we're using Kerberos. If that's correct, I think we should have updated the HdfsNfsGateway.apt.vm Configuration section of the docs to explicitly say this.
          Hide
          Abin Shahab added a comment -

          Hi Aaron,
          Thanks for the feedback.
          On #2, I completely agree. We should update the HdfsNfsGateway.apt.vm. I will post a patch soon.
          On #1, The NFS gateway logs in as a manual hdfs client. By manual, I mean, it acts right now as a human user. The human user has to first get the tgt for the appropriate account, and then issue the hdfs commands. The current NFS gateway does the same.
          If I understand you correctly, the NFS gateway should be able to get it's own tgts, and renew them(just like the namenode and other hadoop nodes can). We plan to add that functionality soon.

          Show
          Abin Shahab added a comment - Hi Aaron, Thanks for the feedback. On #2, I completely agree. We should update the HdfsNfsGateway.apt.vm. I will post a patch soon. On #1, The NFS gateway logs in as a manual hdfs client. By manual, I mean, it acts right now as a human user. The human user has to first get the tgt for the appropriate account, and then issue the hdfs commands. The current NFS gateway does the same. If I understand you correctly, the NFS gateway should be able to get it's own tgts, and renew them(just like the namenode and other hadoop nodes can). We plan to add that functionality soon.
          Hide
          Abin Shahab added a comment -

          Updated documentation with proxy documentation.

          Show
          Abin Shahab added a comment - Updated documentation with proxy documentation.
          Hide
          Aaron T. Myers added a comment -

          On #1, The NFS gateway logs in as a manual hdfs client. By manual, I mean, it acts right now as a human user. The human user has to first get the tgt for the appropriate account, and then issue the hdfs commands. The current NFS gateway does the same.

          If I understand you correctly, the NFS gateway should be able to get it's own tgts, and renew them(just like the namenode and other hadoop nodes can). We plan to add that functionality soon.

          Yes, you understand my point correctly. Without this functionality this patch is not very robust. In a production environment the NFS gateway will typically be started at boot by init scripts, so there is no opportunity to run `kinit' beforehand. Also, if using a lcoal FS ticket cache based login, the ticket will need to be periodically renewed every few hours, so the user would have to write a script or something to periodically run `kinit'. This approach also has issues because ticket renewal via a local FS ticket cache is not atomic, so a busy NFS gateway will have problems during renewal.

          On #2, I completely agree. We should update the HdfsNfsGateway.apt.vm. I will post a patch soon.

          Thanks. I also strongly suspect that in most deployments the NFS gateway will be running as the same user as the NN, which will therefore make it the HDFS superuser. I think we should also seriously consider making the HDFS superuser capable of proxying all users by default, which would mean that most deployments would not need to manually configure the NFS gateway user as a proxyuser.

          I recommend we file a new JIRA to address both of the above issues ASAP. I'd be happy to review it.

          Show
          Aaron T. Myers added a comment - On #1, The NFS gateway logs in as a manual hdfs client. By manual, I mean, it acts right now as a human user. The human user has to first get the tgt for the appropriate account, and then issue the hdfs commands. The current NFS gateway does the same. If I understand you correctly, the NFS gateway should be able to get it's own tgts, and renew them(just like the namenode and other hadoop nodes can). We plan to add that functionality soon. Yes, you understand my point correctly. Without this functionality this patch is not very robust. In a production environment the NFS gateway will typically be started at boot by init scripts, so there is no opportunity to run `kinit' beforehand. Also, if using a lcoal FS ticket cache based login, the ticket will need to be periodically renewed every few hours, so the user would have to write a script or something to periodically run `kinit'. This approach also has issues because ticket renewal via a local FS ticket cache is not atomic, so a busy NFS gateway will have problems during renewal. On #2, I completely agree. We should update the HdfsNfsGateway.apt.vm. I will post a patch soon. Thanks. I also strongly suspect that in most deployments the NFS gateway will be running as the same user as the NN, which will therefore make it the HDFS superuser. I think we should also seriously consider making the HDFS superuser capable of proxying all users by default, which would mean that most deployments would not need to manually configure the NFS gateway user as a proxyuser. I recommend we file a new JIRA to address both of the above issues ASAP. I'd be happy to review it.
          Hide
          Jing Zhao added a comment -

          I recommend we file a new JIRA to address both of the above issues ASAP.

          Thanks for the comments Aaron T. Myers. I just created HDFS-5898 for this. Abin Shahab, feel free to assign that jira to yourself.

          Show
          Jing Zhao added a comment - I recommend we file a new JIRA to address both of the above issues ASAP. Thanks for the comments Aaron T. Myers . I just created HDFS-5898 for this. Abin Shahab , feel free to assign that jira to yourself.
          Hide
          Brandon Li added a comment -

          Let's also mark this JIRA as incompatible change.

          Show
          Brandon Li added a comment - Let's also mark this JIRA as incompatible change.
          Hide
          Aaron T. Myers added a comment -

          Good point Brandon. Thanks.

          Show
          Aaron T. Myers added a comment - Good point Brandon. Thanks.
          Hide
          Jeff Hansen added a comment -

          As you point out, this is an incompatible change and breaks the default unsecure behavior.

          The documentation was updated with details on what was necessary to run this on a secure cluster (I can't testify to how well the instructions would work in that case), however the instructions do not work when trying to set up a basic gateway with no security.

          I wasn't the first to have trouble with this – http://stackoverflow.com/questions/24134012/hdfs-nfs-gateway-configuration-getting-exception-for-nfs3/24875747#24875747

          Show
          Jeff Hansen added a comment - As you point out, this is an incompatible change and breaks the default unsecure behavior. The documentation was updated with details on what was necessary to run this on a secure cluster (I can't testify to how well the instructions would work in that case), however the instructions do not work when trying to set up a basic gateway with no security. I wasn't the first to have trouble with this – http://stackoverflow.com/questions/24134012/hdfs-nfs-gateway-configuration-getting-exception-for-nfs3/24875747#24875747
          Hide
          Brandon Li added a comment - - edited

          Hi Jeff Hansen, thanks for pointing out the inconsistent description in the user guide. I've created HDFS-6732 to track the doc fix. Jeff Hansen, please review the new doc to see if it's still misleading. Thanks!

          Show
          Brandon Li added a comment - - edited Hi Jeff Hansen , thanks for pointing out the inconsistent description in the user guide. I've created HDFS-6732 to track the doc fix. Jeff Hansen , please review the new doc to see if it's still misleading. Thanks!
          Hide
          Hudson added a comment -

          FAILURE: Integrated in Hadoop-trunk-Commit #5979 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5979/)
          HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Show
          Hudson added a comment - FAILURE: Integrated in Hadoop-trunk-Commit #5979 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5979/ ) HDFS-6717 . JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Hide
          Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk #627 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/627/)
          HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Show
          Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk #627 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/627/ ) HDFS-6717 . JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Hide
          Hudson added a comment -

          FAILURE: Integrated in Hadoop-Hdfs-trunk #1819 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1819/)
          HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Show
          Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk #1819 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1819/ ) HDFS-6717 . JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Hide
          Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Mapreduce-trunk #1846 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1846/)
          HDFS-6717. JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125)

          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Show
          Hudson added a comment - SUCCESS: Integrated in Hadoop-Mapreduce-trunk #1846 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1846/ ) HDFS-6717 . JIRA HDFS-5804 breaks default nfs-gateway behavior for unsecured config. Contributed by Brandon Li (brandonli: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1614125 ) /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm
          Hide
          Jeff Hansen added a comment -

          I would probably recommend adding a comment to line 77 of http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm?view=markup&pathrev=1614125

          Specifically:

          > The above are the only required configuration for the NFS gateway in non-secure mode. However, note that in most cases of non-secure installations, you will need to include "root" in the list of users provided under `hadoop.proxyuser.nfsserver.groups` as root will generally be the user that initially executes the mount.

          Thanks Brandon! By the way, I'd like to concede that I may have made commented (in my stack overflow response) about the lack of certain details in the documentation that were always there – as I recall, I was VERY tired and distracted the first time I went through the instructions and had trouble concentrating =) When I re-read it, I thought, that's funny, many of those things that I complained about not being there were in fact there...

          Show
          Jeff Hansen added a comment - I would probably recommend adding a comment to line 77 of http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm?view=markup&pathrev=1614125 Specifically: > The above are the only required configuration for the NFS gateway in non-secure mode. However, note that in most cases of non-secure installations, you will need to include "root" in the list of users provided under `hadoop.proxyuser.nfsserver.groups` as root will generally be the user that initially executes the mount. Thanks Brandon! By the way, I'd like to concede that I may have made commented (in my stack overflow response) about the lack of certain details in the documentation that were always there – as I recall, I was VERY tired and distracted the first time I went through the instructions and had trouble concentrating =) When I re-read it, I thought, that's funny, many of those things that I complained about not being there were in fact there...
          Hide
          Brandon Li added a comment -

          ... the first time I went through the instructions and had trouble concentrating =)

          Sorry to hear that. In a few places, we tried to explain the reasons of the configuration/setup by adding extra notes and so on. However, clearly we didn't do a good job there.

          Root privilege is usually required by Linux (MacOS doesn't though) to mount export regardless NFS gateway is in secure mode or non-secure mode. I modify the doc by adding the description based on you suggested above. Please take a look of the patch in HDFS-6717 named 'HDFS-6717.morechange.patch' and let me know if it looks ok to you

          Show
          Brandon Li added a comment - ... the first time I went through the instructions and had trouble concentrating =) Sorry to hear that. In a few places, we tried to explain the reasons of the configuration/setup by adding extra notes and so on. However, clearly we didn't do a good job there. Root privilege is usually required by Linux (MacOS doesn't though) to mount export regardless NFS gateway is in secure mode or non-secure mode. I modify the doc by adding the description based on you suggested above. Please take a look of the patch in HDFS-6717 named ' HDFS-6717 .morechange.patch' and let me know if it looks ok to you

            People

            • Assignee:
              Abin Shahab
              Reporter:
              Abin Shahab
            • Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development