hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arpit Gupta <ar...@hortonworks.com>
Subject Re: regarding _HOST token replacement in security hadoop
Date Fri, 27 Jul 2012 02:02:30 GMT
you need to use HTTP/_HOST@site.com as that is the principal needed by spnego. So you would
need create the HTTP/_HOST principal and add it to the same keytab (/home/hdfs/keytab/nn.service.keytab).

--
Arpit Gupta
Hortonworks Inc.
http://hortonworks.com/

On Jul 26, 2012, at 6:54 PM, Wangwenli <wangwenli@huawei.com> wrote:

> Thank yours response.
> I am using hadoop-2.0.0-alpha from apache site.  In which version it should configure
with HTTP/_HOST@site.com?  I think not in hadoop-2.0.0-alpha. Because I login successful with
other principal, pls refer below log:
> 
> 2012-07-23 22:48:17,303 INFO org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler:
Login using keytab /home/hdfs/keytab/nn.service.keytab, for principal nn/167-52-0-56.site@site
> 2012-07-23 22:48:17,310 INFO org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler:
Initialized, principal [nn/167-52-0-56.site@site] from keytab [/home/hdfs/keytab/nn.service.keytab]
> 
> 
> -----邮件原件-----
> 发件人: Arpit Gupta [mailto:arpit@hortonworks.com] 
> 发送时间: 2012年7月27日 9:22
> 收件人: common-dev@hadoop.apache.org
> 主题: Re: regarding _HOST token replacement in security hadoop
> 
> what version of hadoop are you using?
> 
> also
> 
> dfs.web.authentication.kerberos.principal should be set to HTTP/_HOST@site.com
> 
> --
> Arpit Gupta
> Hortonworks Inc.
> http://hortonworks.com/
> 
> On Jul 26, 2012, at 6:11 PM, Wangwenli <wangwenli@huawei.com> wrote:
> 
>> Hi all,
>> 
>>  I configured like below in hdfs-site.xml:
>> 
>> <property>
>> <name>dfs.namenode.kerberos.principal</name>
>> <value>nn/_HOST@site</value>
>> </property>
>> 
>> 
>> <property>
>>   <name>dfs.web.authentication.kerberos.principal</name>
>>   <value>nn/_HOST@site</value>
>> </property>
>> 
>> 
>>  When  start up namenode, I found, namenode will use principal : nn/167-52-0-56@site
to login, but the http server will use nn/167-52-0-56.site@site<mailto:nn/167-52-0-56.site@site>
to lgin,  so it start failed.
>> 
>> I checked the code,
>> 
>> Namenode will use socAddr.getHostName() to get hostname in org.apache.hadoop.hdfs.server.namenode.NameNode.loginAsNameNodeUser.
>> 
>> 
>> But httpserver 's default hostname is 0.0.0.0, so in org.apache.hadoop.security.SecurityUtil.replacePattern,
it will get the hostname by invoking getLocalHostName,there it use getCanonicalHostName(),
>> 
>> I think this inconsistent is wrong,  can someone confirm this? Need raise one bug
? 
>> 
>> Thanks
>> 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message