hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Toebbicke <...@pclella.cern.ch>
Subject How to add a new node to a secure cluster without namenode/jobtracker restart?
Date Tue, 17 Dec 2013 11:44:06 GMT
Hello,

How do you add a new datanode to a secure cluster, without restarting the namenode?

In order to prevent identity theft of mapred or hdfs, a secure cluster needs to carefully
maintain 
auth_to_local in core-site.xml as far as I understand, typically with lines such as

RULE:[2:$1/$2@$0](.*/node@example.com@EXAMPLE.COM)s/^([a-zA-Z]*).*/$1/

where "node" is a member of the cluster. 


Now, if a new node appears, you change core-site.xml, but I didn't find anything that makes
the namenode refresh what seems like an internal table.
At least "hdfs dfsadmin -refreshXXX" doesn't (XXX = {Nodes,ServiceAcl,UserToGroupsMappings,SuperUserGroupsConfiguration):
the namenode continues to claim 
"Authorization failed" as it does not map "hdfs/node.example.com@EXAMPLE.COM" to hdfs. Until
you restart it.
 
Same holds for the jobtracker.

Have I missed something?

(This is Hadoop 2.0.0, cdh4.3.0)
Mime
View raw message