Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0DA152009EE for ; Wed, 18 May 2016 16:13:15 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 0C0241609B0; Wed, 18 May 2016 14:13:15 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 53432160A15 for ; Wed, 18 May 2016 16:13:14 +0200 (CEST) Received: (qmail 95086 invoked by uid 500); 18 May 2016 14:13:13 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 94787 invoked by uid 99); 18 May 2016 14:13:13 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2016 14:13:13 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id F2C362C1F61 for ; Wed, 18 May 2016 14:13:12 +0000 (UTC) Date: Wed, 18 May 2016 14:13:12 +0000 (UTC) From: "Yuren Wu (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (HADOOP-13173) SecurityUtil.buildtokenService broke token authentication in multi-home network env MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 18 May 2016 14:13:15 -0000 Yuren Wu created HADOOP-13173: --------------------------------- Summary: SecurityUtil.buildtokenService broke token authentication in multi-home network env Key: HADOOP-13173 URL: https://issues.apache.org/jira/browse/HADOOP-13173 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.6.0 Environment: multi-homed network cluster on SLES 11 Reporter: Yuren Wu Hadoop cluster: multihomed network with KMS and Kerberos. Sympton: mapreduce mapper will fail with kerberos error. (stack trace later) Let's assume hadoop cluster has two networks, PRIVATE_NET and PUBLIC_NET. When mapreduce job submitted to the cluster from an outside ndoe (node only has visibility to PUBLIC_NET, it will acquire KMS tokens based on PUBLIC_NET ip address. Such token in Credential's token list using IP will not be correct resolved in the cluster. Therefore, we are using hadoop.security.token.service.use_ip=false in the client side core-site.xml file. However, once job is accepted by yarn, the mapper container still throws kerberos error. A detailed trace shows that when DFSClient is calling decryptEncryptedDataencryptionKey function, it will reach to org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection method. This method will call SecurityUtil.buildtokenService to obtain the service name and use it to lookup the token in Credentials.getToken(service) call. This call returned the service in the IP:PORT format. Therefore, no token can be retrieved from credential's token hashmap. After read SecurityUtil class, I think this class does not load configuration from configuration file at all. It seems to me that this class create a default configuration object and the useIpForTokenService variable is always set false. I do not have enough experience to provide a fix. In my mind, somewhere we need to provide the correct value of useIpForTokenService based on job setup. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org