hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-3460) HttpFS proxyuser validation with Kerberos ON uses full principal name
Date Wed, 23 May 2012 23:41:41 GMT

     [ https://issues.apache.org/jira/browse/HDFS-3460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alejandro Abdelnur updated HDFS-3460:
-------------------------------------

    Attachment: HDFS-3460.patch

A kerberos principal is the full name, not the short name. The Java Principal does not have
an accessor to get the short principal. The patch tries to cast the Java Principal to AuthenticationToken
and if successful it extracts the username which is the short principal.

I've tested this in a deployed setup with Kerberos and it works fine.
                
> HttpFS proxyuser validation with Kerberos ON uses full principal name
> ---------------------------------------------------------------------
>
>                 Key: HDFS-3460
>                 URL: https://issues.apache.org/jira/browse/HDFS-3460
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.0.0-alpha
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>            Priority: Critical
>             Fix For: 2.0.1-alpha
>
>         Attachments: HDFS-3460.patch
>
>
> The HttpFSServer.getEffectiveUser() method uses the principal name for proxy user verification.
If the Kerberos is ON and the proxy user is a service principal (NAME/HOST) then the verification
fails, instead the short name (just NAME) should be used.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message