hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-3727) When using SPNEGO, NN should not try to log in using KSSL principal
Date Thu, 26 Jul 2012 01:14:34 GMT

     [ https://issues.apache.org/jira/browse/HDFS-3727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Aaron T. Myers updated HDFS-3727:
---------------------------------

    Attachment: HDFS-3727.patch

Here's a patch which addresses the issue. Instead of logging in as the KSSL principal, we
now always log in as the hdfs/ principal. This change also allows us to trim down the set
of principals who may legitimately hit the GetImageServlet to only the NN and 2NN hdfs/ principals,
instead of those and the NN and 2NN host/ principals.

I missed this in my testing since I always had both the KSSL and SPNEGO principals configured
in my conf, even though I was switching back and forth between using SPNEGO and KSSL. I tested
this patch by ensuring that the KSSL principals were commented out when testing checkpointing
with SPNEGO, and likewise that the SPNEGO principals were commented out when testing checkpointing
with KSSL.
                
> When using SPNEGO, NN should not try to log in using KSSL principal
> -------------------------------------------------------------------
>
>                 Key: HDFS-3727
>                 URL: https://issues.apache.org/jira/browse/HDFS-3727
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: name-node
>    Affects Versions: 1.2.0
>            Reporter: Aaron T. Myers
>            Assignee: Aaron T. Myers
>         Attachments: HDFS-3727.patch
>
>
> When performing a checkpoint with security enabled, the NN will attempt to relogin from
its keytab before making an HTTP request back to the 2NN to fetch the newly-merged image.
However, it always attempts to log in using the KSSL principal, even if SPNEGO is configured
to be used.
> This issue was discovered by Stephen Chu.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message