hadoop-mapreduce-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Created: (MAPREDUCE-1959) Should use long name for token renewer on the client side
Date Thu, 22 Jul 2010 17:40:50 GMT
Should use long name for token renewer on the client side

                 Key: MAPREDUCE-1959
                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1959
             Project: Hadoop Map/Reduce
          Issue Type: Bug
          Components: security
            Reporter: Kan Zhang
            Assignee: Kan Zhang

When getting a delegation token from a NN, a client needs to specify the renewer for the token.
For use on a MapRed cluster, JT should be specified as the renewer. However, in the current
code, the client maps JT's long name (Kerberos principal name) to cluster-internal short name
and then sets the short name as the renewer. This is undesirable for 2 reasons. 1) It's unnecessary
since NN (or JT) converts client-supplied renewer from long to short name anyway. 2) In principle,
the mapping from long to short name should be done on the server. This is consistent with
the authentication case, where the client uses the same long name to authenticate to multiple
servers and servers map client's long name to their own internal short names. It facilitates
using the same job client to get delegation tokens from multiple NN's, which may have different
mapping rules for JT.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message