hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Updated: (HADOOP-6907) Rpc client doesn't use the per-connection conf to figure out server's Kerberos principal
Date Mon, 16 Aug 2010 22:48:19 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-6907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Kan Zhang updated HADOOP-6907:

    Attachment: c6907-12.patch

This patch does the following.

1. It refactored a bunch of connection-related params from being global (stay the same for
new connections) to become per-connection params and their values are obtained from the conf
used when calling RPC.getProxy(). This allows new connections to be set up based on the conf
used for that connection, which is more intuitive.

2. In particular, the server's Kerberos principal is now obtained from the per connection

3. The conf cached globally in Client is not removed since it provides a cache for Classes
that ObjectWritable.NullInstance relies on to figure out the declaredClass. It seems to provide
a useful function and the cache can be shared among connections. No per-connection params
are obtained from this global conf.

> Rpc client doesn't use the per-connection conf to figure out server's Kerberos principal
> ----------------------------------------------------------------------------------------
>                 Key: HADOOP-6907
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6907
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: ipc, security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c6907-12.patch
> Currently, RPC client caches the conf that was passed in to its constructor and uses
that same conf (or values obtained from it) for every connection it sets up. This is not sufficient
for security since each connection needs to figure out server's Kerberos principal on a per-connection
basis. It's not reasonable to expect the first conf used by a user to contain all the Kerberos
principals that her future connections will ever need. Or worse, if her first conf contains
an incorrect principal name, it will prevent the user from connecting to the server even if
she later on passes in a correct conf on retry (by calling RPC.getProxy()).

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message