hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Foley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12665) Document hadoop.security.token.service.use_ip
Date Thu, 07 Jan 2016 21:35:39 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15088151#comment-15088151
] 

Matt Foley commented on HADOOP-12665:
-------------------------------------

In branch-1 it was documented in [core-default.xml|https://svn.apache.org/repos/asf/hadoop/common/branches/branch-1/src/core/core-default.xml]
as:
{code}
<property>
  <name>hadoop.security.token.service.use_ip</name>
  <value>true</value>
  <description>Controls whether tokens always use IP addresses.  DNS changes
  will not be detected if this option is enabled.  Existing client connections
  that break will always reconnect to the IP of the original host.  New clients
  will connect to the host's new IP but fail to locate a token.  Disabling
  this option will allow existing and new clients to detect an IP change and
  continue to locate the new host's token.
  </description>
</property>
{code}

This resulted in a corresponding entry in https://hadoop.apache.org/docs/r1.2.1/core-default.html

Apparently in branch-2 it was removed from core-default.xml, presumably because it is a rarely
used parameter.  However, it still needs to be documented somewhere because it is required
for *multi-homed servers* if kerberos security is enabled, as seen in certain customer complaints
(that have not been reported as Apache Jiras since they were resolved as misconfigurations
rather than code bugs).  I have documented it thus:

bq. Parameters for Security Token service host resolution

bq. In secure multi-homed environments, the following parameter will need to be set to false
(it is true by default) on both cluster servers and clients (see HADOOP-7733), in core-site.xml.
 If it is not set correctly, the symptom will be inability to submit an application to YARN
from an external client (with error "client host not a member of the Hadoop cluster"), or
even from an in-cluster client if server failover occurs.

I'm including this as part of a white paper I'm writing on the whole topic of multi-homed
support.  I was planning to integrate that into Apache Hadoop docs when it is done in a couple
weeks.  So [~anu], if you like, you can reassign this docs jira to me.

> Document hadoop.security.token.service.use_ip
> ---------------------------------------------
>
>                 Key: HADOOP-12665
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12665
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: documentation
>    Affects Versions: 2.8.0
>            Reporter: Arpit Agarwal
>            Assignee: Anu Engineer
>
> {{hadoop.security.token.service.use_ip}} is not documented in 2.x/trunk.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message