Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6DE58D65F for ; Fri, 19 Oct 2012 07:56:02 +0000 (UTC) Received: (qmail 34301 invoked by uid 500); 19 Oct 2012 07:56:02 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 34117 invoked by uid 500); 19 Oct 2012 07:56:01 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 34096 invoked by uid 99); 19 Oct 2012 07:56:00 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Oct 2012 07:56:00 +0000 Date: Fri, 19 Oct 2012 07:56:00 +0000 (UTC) From: "Ahad Rana (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: <273092679.2.1350633360579.JavaMail.jiratomcat@arcas> In-Reply-To: <1318675711.67586.1350623163269.JavaMail.jiratomcat@arcas> Subject: [jira] [Commented] (HDFS-4081) NamenodeProtocol and other Secure Protocols should use different config keys for serverPrincipal and clientPrincipal KerberosInfo components MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-4081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13479780#comment-13479780 ] Ahad Rana commented on HDFS-4081: --------------------------------- Hi Aaron, Upon further investigation, I think my bug and HDFS-2264 are reaching different conclusions as to why clientPrototocl should be represented by a different config key. I wonder if there are two different bugs surfacing here ? Ahad. > NamenodeProtocol and other Secure Protocols should use different config keys for serverPrincipal and clientPrincipal KerberosInfo components > --------------------------------------------------------------------------------------------------------------------------------------------- > > Key: HDFS-4081 > URL: https://issues.apache.org/jira/browse/HDFS-4081 > Project: Hadoop HDFS > Issue Type: Bug > Components: security > Affects Versions: 2.0.0-alpha, 2.0.1-alpha, 2.0.2-alpha, 2.0.3-alpha > Reporter: Ahad Rana > > The Namenode protocol (NamenodeProtocol.java) defines the same config key, dfs.namenode.kerberos.principal, for both ServerPrincipal and ClientPrincipal components of the KerberosInfo data structure. This overloads the meaning of the dfs.namenode.kerberos.principal config key. This key can be used to define the namenode's principal during startup, but in the client case, it is used by ServiceAuthorizationManager.authorize to create a principal name given an incoming client's ip address. If you explicitly set the principal name for the namenode in the Config using this key, it then breaks ServiceAuthorizationManager.authorize, because it expects this same value to contain a Kerberos principal name pattern NOT an explicit name. > The solve this issue, the ServerPrincipal and ClientPrincipal components of the NamenodeProtocol should each be assigned unique Config keys. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira