hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12096) Rest API failing when ip configured in RM address in secure https mode
Date Wed, 17 Jun 2015 17:28:01 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14590136#comment-14590136
] 

Steve Loughran commented on HADOOP-12096:
-----------------------------------------

Allen —why not? Especially given on windows that if you do a reverse lookup of 127.0.0.1
you don't get  "localhost' back. For some testing (yarn registry talking to secure ZK) I explicitly
had to register user/127.0.0.1@EXAMPLE.COM to get things to work.

regarding the patch, I now think Kerberos is probably the bit of the codebase we have to tread
most carefully around. Whoever claims to be the experts in Hadoop, Kerberos and HTTP will
need to review it, and then, ideally. it gets some serious testing before patch goes in

> Rest API failing when ip configured in RM address in secure https mode
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-12096
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12096
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: net, security
>            Reporter: Bibin A Chundatt
>            Assignee: Bibin A Chundatt
>            Priority: Critical
>         Attachments: 0001-HADOOP-12096.patch, 0001-YARN-3810.patch, 0002-YARN-3810.patch
>
>
> Steps to reproduce
> ===============
> 1.Configure hadoop.http.authentication.kerberos.principal as below
> {code:xml}
>   <property>
>     <name>hadoop.http.authentication.kerberos.principal</name>
>     <value>HTTP/_HOST@HADOOP.COM</value>
>   </property>
> {code}
> 2. In RM web address also configure IP 
> 3. Startup RM 
> Call Rest API for RM  {{ curl -i -k  --insecure --negotiate -u : https IP /ws/v1/cluster/info"}}
> *Actual*
> Rest API  failing
> {code}
> 2015-06-16 19:03:49,845 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter:
Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos credentails)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
> 	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348)
> 	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
> 	at org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter.doFilter(RMAuthenticationFilter.java:82)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message