hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "KWON BYUNGCHANG (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-14434) webhdfs that connect secure hdfs should not use user.name parameter
Date Tue, 23 Apr 2019 10:59:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-14434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16823967#comment-16823967
] 

KWON BYUNGCHANG commented on HDFS-14434:
----------------------------------------

I will update patch of resolving failed test case. thank you

> webhdfs that connect secure hdfs should not use user.name parameter
> -------------------------------------------------------------------
>
>                 Key: HDFS-14434
>                 URL: https://issues.apache.org/jira/browse/HDFS-14434
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>    Affects Versions: 3.1.2
>            Reporter: KWON BYUNGCHANG
>            Assignee: KWON BYUNGCHANG
>            Priority: Minor
>         Attachments: HDFS-14434.001.patch, HDFS-14434.002.patch
>
>
> I have two secure hadoop cluster.  Both cluster use cross-realm authentication. 
> [user_a@A.COM|mailto:user_a@A.COM] can access to HDFS of B.COM realm
> by the way, hadoop username of user_a@A.COM  in B.COM realm is  cross_realm_a_com_user_a.
> hdfs dfs command of user_a@A.COM using B.COM webhdfs failed.
> root cause is  webhdfs that connect secure hdfs use user.name parameter.
> according to webhdfs spec,  insecure webhdfs use user.name,  secure webhdfs use SPNEGO
for authentication.
> I think webhdfs that connect secure hdfs  should not use user.name parameter.
> I will attach patch.
> below is error log
>  
> {noformat}
> $ hdfs dfs -ls  webhdfs://b.com:50070/
> ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_user_a
>  
> # user.name in cross realm webhdfs
> $ curl -u : --negotiate 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a' 
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Usernames not matched: name=user_a
!= expected=cross_realm_a_com_user_a"}}
> # USE SPNEGO
> $ curl -u : --negotiate 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'
> {"Token"{"urlString":"XgA....."}}
>  
> {noformat}
>  
>  
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message