Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 40D1017919 for ; Wed, 1 Apr 2015 17:12:58 +0000 (UTC) Received: (qmail 59365 invoked by uid 500); 1 Apr 2015 17:12:54 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 59315 invoked by uid 500); 1 Apr 2015 17:12:54 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 59303 invoked by uid 99); 1 Apr 2015 17:12:54 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Apr 2015 17:12:54 +0000 Date: Wed, 1 Apr 2015 17:12:54 +0000 (UTC) From: "Chris Nauroth (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HDFS-6666) Abort NameNode and DataNode startup if security is enabled but block access token is not enabled. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-6666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14391003#comment-14391003 ] Chris Nauroth commented on HDFS-6666: ------------------------------------- Actually, I've been meaning to propose that we remove the startKdc profile and migrate existing tests that use it to look more like the tests I wrote for HDFS-2856. For an example, see {{TestSaslDataTransfer}} and its base class {{SaslDataTransferTestCase}}. You might find it useful to extend that same base class. These tests work by depending on the hadoop-minikdc project instead of an external Apache Directory Server distro URL. They also enable SASL on data transfer protocol and SSL on the web servers, so there is no need for root or trying to set backdoor properties to skip some of the security checks. > Abort NameNode and DataNode startup if security is enabled but block access token is not enabled. > ------------------------------------------------------------------------------------------------- > > Key: HDFS-6666 > URL: https://issues.apache.org/jira/browse/HDFS-6666 > Project: Hadoop HDFS > Issue Type: Bug > Components: datanode, namenode, security > Affects Versions: 3.0.0, 2.5.0 > Reporter: Chris Nauroth > Assignee: Vijay Bhat > Priority: Minor > > Currently, if security is enabled by setting hadoop.security.authentication to kerberos, but HDFS block access tokens are disabled by setting dfs.block.access.token.enable to false (which is the default), then the NameNode logs an error and proceeds, and the DataNode proceeds without even logging an error. This jira proposes that this it's invalid to turn on security but not turn on block access tokens, and that it would be better to fail fast and abort the daemons during startup if this happens. -- This message was sent by Atlassian JIRA (v6.3.4#6332)