you need to use HTTP/_h...@site.com as that is the principal needed by spnego. So you would need create the HTTP/_HOST principal and add it to the same keytab (/home/hdfs/keytab/nn.service.keytab).
-- Arpit Gupta Hortonworks Inc. http://hortonworks.com/ On Jul 26, 2012, at 6:54 PM, Wangwenli <wangwe...@huawei.com> wrote: > Thank yours response. > I am using hadoop-2.0.0-alpha from apache site. In which version it should > configure with HTTP/_h...@site.com? I think not in hadoop-2.0.0-alpha. > Because I login successful with other principal, pls refer below log: > > 2012-07-23 22:48:17,303 INFO > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: > Login using keytab /home/hdfs/keytab/nn.service.keytab, for principal > nn/167-52-0-56.site@site > 2012-07-23 22:48:17,310 INFO > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: > Initialized, principal [nn/167-52-0-56.site@site] from keytab > [/home/hdfs/keytab/nn.service.keytab] > > > -----邮件原件----- > 发件人: Arpit Gupta [mailto:ar...@hortonworks.com] > 发送时间: 2012年7月27日 9:22 > 收件人: common-dev@hadoop.apache.org > 主题: Re: regarding _HOST token replacement in security hadoop > > what version of hadoop are you using? > > also > > dfs.web.authentication.kerberos.principal should be set to HTTP/_h...@site.com > > -- > Arpit Gupta > Hortonworks Inc. > http://hortonworks.com/ > > On Jul 26, 2012, at 6:11 PM, Wangwenli <wangwe...@huawei.com> wrote: > >> Hi all, >> >> I configured like below in hdfs-site.xml: >> >> <property> >> <name>dfs.namenode.kerberos.principal</name> >> <value>nn/_HOST@site</value> >> </property> >> >> >> <property> >> <name>dfs.web.authentication.kerberos.principal</name> >> <value>nn/_HOST@site</value> >> </property> >> >> >> When start up namenode, I found, namenode will use principal : >> nn/167-52-0-56@site to login, but the http server will use >> nn/167-52-0-56.site@site<mailto:nn/167-52-0-56.site@site> to lgin, so it >> start failed. >> >> I checked the code, >> >> Namenode will use socAddr.getHostName() to get hostname in >> org.apache.hadoop.hdfs.server.namenode.NameNode.loginAsNameNodeUser. >> >> >> But httpserver 's default hostname is 0.0.0.0, so in >> org.apache.hadoop.security.SecurityUtil.replacePattern, it will get the >> hostname by invoking getLocalHostName,there it use getCanonicalHostName(), >> >> I think this inconsistent is wrong, can someone confirm this? Need raise >> one bug ? >> >> Thanks >> >
