hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ahad Rana (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4043) Namenode Kerberos Login does not use proper hostname for host qualified hdfs principal name.
Date Fri, 19 Oct 2012 06:56:03 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13479668#comment-13479668

Ahad Rana commented on HDFS-4043:

Hi Brahma,

Please disregard my last suggestion. Setting dfs.namenode.kerberos.principal or dfs.namenode.kerberos.internal.spnego.principal
to and explicit principal name (instead of a pattern name with _HOST in it) triggers other
bugs (see HDFS-4081). The bottom line is that it is probably best to set the hostname of the
namenode to match exactly the name returned via a reverse-dns query (getCanonicalName). You
are right however, that your problems are a manifestation of the same general bug (inconsistent
resolution of canonical principal name via different code paths). Most definitely, incoming
IP based connections need to use getCanonicalName to get back a host name that can be used
to form the proper principal name. Otherwise you will need to probably go with IP based principal
names ? 

As mentioned above, I have reverted to setting the internal hostname for the namenodes/secondary
namenodes to exactly match the fully qualified hostname returned via reverse-dns. And so far,
things seems to be working properly now.   
> Namenode Kerberos Login does not use proper hostname for host qualified hdfs principal
> --------------------------------------------------------------------------------------------
>                 Key: HDFS-4043
>                 URL: https://issues.apache.org/jira/browse/HDFS-4043
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0-alpha, 2.0.1-alpha, 2.0.2-alpha, 2.0.3-alpha
>         Environment: CDH4U1 on Ubuntu 12.04
>            Reporter: Ahad Rana
>   Original Estimate: 24h
>  Remaining Estimate: 24h
> The Namenode uses the loginAsNameNodeUser method in NameNode.java to login using the
hdfs principal. This method in turn invokes SecurityUtil.login with a hostname (last parameter)
obtained via a call to InetAddress.getHostName. This call does not always return the fully
qualified host name, and thus causes the namenode to login to fail due to kerberos's inability
to find a matching hdfs principal in the hdfs.keytab file. Instead it should use InetAddress.getCanonicalHostName.
This is consistent with what is used internally by SecurityUtil.java to login in other services,
such as the DataNode. 

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message