hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoy Antony (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-4794) Browsing filesystem via webui throws kerberos exception when NN service RPC is enabled in a secure cluster
Date Fri, 03 May 2013 17:22:16 GMT

     [ https://issues.apache.org/jira/browse/HDFS-4794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Benoy Antony updated HDFS-4794:
-------------------------------

    Attachment: HDFS-4794.patch

Root cause of the error :

The delegation token is stored in the UGI tokens (map) and keyed to NameNode's RPC Hostname
and port (8020).
Datanode tries to connect to the NameNode Service RPC hostname  and port (8030) . When the
Client on DataNode looks for a token , it looks for a  token keyed with to NameNode Service
RPC hostname  and port (8030). It does not find a match and hence cannot use delegation token
for authentication. It falls back to Kerberos authentication, but do not have TGT for the
user.

The fix is to use the NameNode's RPC address  (NOT service RPC) when browsing directory/block/tail
via web. Patch is attached.
 
This is not a problem in trunk since the NameNode passes its own RPC address as a URL parameter
when browsing directory. But adopting that scheme requires more changes.
                
> Browsing filesystem via webui throws kerberos exception when NN service RPC is enabled
in a secure cluster
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-4794
>                 URL: https://issues.apache.org/jira/browse/HDFS-4794
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.1.2
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HDFS-4794.patch
>
>
> Browsing filesystem via webui throws kerberos exception when NN service RPC is enabled
in a secure cluster
> To reproduce this error, 
> Enable security 
> Enable serviceRPC by setting dfs.namenode.servicerpc-address and use a different port
than the rpc port.
> Click on "Browse the filesystem" on NameNode web.
> The following error will be shown :
> Call to NN001/12.123.123.01:8030 failed on local exception: java.io.IOException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message