hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Suresh Srinivas (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-3001) dfsadmin -refreshServiceAcl fails Kerb authentication with valid Kerb ticket, other subcommands succeed
Date Thu, 23 Feb 2012 18:14:49 GMT

     [ https://issues.apache.org/jira/browse/HDFS-3001?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Suresh Srinivas updated HDFS-3001:
----------------------------------

    Description: 
With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' still fails
on Kerb authentication. Please see the comment for more details.


  was:
With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' still fails
on Kerb authentication with
the following error:

bash-3.2$ /home/share/hadoop/bin/hdfs  --config /home/conf/hadoop/
dfsadmin -refreshServiceAcl
refreshServiceAcl: User hdfs/USER@DOMAIN (auth:KERBEROS) is not authorized for protocol
interface org.apache.hadoop.security.authorize.Refresh
AuthorizationPolicyProtocol, expected client Kerberos principal is null


However, other dfsadmin commands like '-printTopology', '-refreshNamenodes', '-safemode',
'-report', which should use
the same privilege level, do not give authentication errors and work successfully:

-- kerb ticket --
bash-3.2$ klist -5
Ticket cache: FILE:/tmp/path/kbtickets/hdfs.kerberos.ticket
Default principal: hdfs/USER@DOMAIN

Valid starting     Expires            Service principal
01/18/12 23:59:53  01/19/12 23:59:53  krbtgt/USER@DOMAIN
        renew until 01/25/12 23:59:53

-- -printTopology subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs  --config /home/conf/hadoop/
dfsadmin -printTopology
Rack: /IPADDR1.0
   IPADDR2.43:1004 (HOST1.com)
   IPADDR3.44:1004 (HOST2.com)
   IPADDRn.60:1004 (HOSTn.com)

Rack: /default-rack
   HOSTr.com

-- -refreshNamenodes subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin  -fs hdfs://NNHOST:8020  -refreshNamenodes DNHOST:8020
bash-3.2$ echo $?
0

-- -safemode subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin  -fs hdfs://NNHOST:8020  -safemode get
Safe mode is OFF



With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' still fails
on Kerb authentication with
the following error:

bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -refreshServiceAcl
refreshServiceAcl: User hdfs/USER@DOMAIN (auth:KERBEROS) is not authorized for protocol
interface org.apache.hadoop.security.authorize.Refresh
AuthorizationPolicyProtocol, expected client Kerberos principal is null

However, other dfsadmin commands like '-printTopology', '-refreshNamenodes', '-safemode',
'-report', which should use
the same privilege level, do not give authentication errors and work successfully:

- kerb ticket -
bash-3.2$ klist -5
Ticket cache: FILE:/tmp/path/kbtickets/hdfs.kerberos.ticket
Default principal: hdfs/USER@DOMAIN

Valid starting Expires Service principal
01/18/12 23:59:53 01/19/12 23:59:53 krbtgt/USER@DOMAIN
renew until 01/25/12 23:59:53

- -printTopology subcommand -
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -printTopology
Rack: /IPADDR1.0
IPADDR2.43:1004 (HOST1.com)
IPADDR3.44:1004 (HOST2.com)
IPADDRn.60:1004 (HOSTn.com)

Rack: /default-rack
HOSTr.com

- -refreshNamenodes subcommand -
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -fs hdfs://NNHOST:8020 -refreshNamenodes DNHOST:8020
bash-3.2$ echo $?
0

- -safemode subcommand -
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -fs hdfs://NNHOST:8020 -safemode get
Safe mode is OFF

                
> dfsadmin -refreshServiceAcl fails Kerb authentication with valid Kerb ticket, other subcommands
succeed
> -------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-3001
>                 URL: https://issues.apache.org/jira/browse/HDFS-3001
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: hdfs client
>    Affects Versions: 0.23.1
>            Reporter: patrick white
>
> With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' still
fails on Kerb authentication. Please see the comment for more details.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message