hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Templeton <dan...@cloudera.com>
Subject Hostname Replacement in Principals
Date Fri, 15 Jan 2016 17:35:54 GMT
I've noticed that if I add an auth_to_local rule that forces all 2-part 
principals that don't originate from one of my hosts to nobody, things 
break.  Specifically, many non-MR YARN apps break. The reason MR doesn't 
break is that MR knows to replace the _HOST string in the RM_PRINCIPAL 
property's value with the local host name.  Many YARN app authors don't 
realize they need to do that, probably because the canonical distributed 
shell app also fails to do it and hence fails in my cluster.  Instead of 
trying to fix the rest of the world, including a ton a 3rd-party apps, I 
think it makes more sense to build that translation into the 
FileSystem.addDelegationTokens() method.  I would like to make the 
following change in FileSystem.addDelegationTokens():

    @InterfaceAudience.LimitedPrivate({ "HDFS", "MapReduce" })
    public Token<?>[] addDelegationTokens(
        final String renewer, Credentials credentials) throws IOException {
      if (credentials == null) {
        credentials = new Credentials();
      }
      final List<Token<?>> tokens = new ArrayList<Token<?>>();
-     collectDelegationTokens(renewer, credentials, tokens);
+ collectDelegationTokens(SecurityUtil.getServerPrincipal(renewer, 
InetAddress.getLocalhost().getHostname()), credentials, tokens);
      return tokens.toArray(new Token<?>[tokens.size()]);
    }

more or less.  Obviously there's an exception and other details that 
need to be handled, but that's the main idea.  Any comments on the change?

I thought I saw a JIRA that proposed doing something similar, but I 
can't find it now.  If nobody cries foul or points me to prior art, I'll 
file a new JIRA and post a patch.

Thanks,
Daniel

Mime
View raw message