[jira] [Created] (HDFS-3001) dfsadmin -refreshServiceAcl fails Kerb authentication with valid Kerb ticket, other subcommands succeed

Thu, 23 Feb 2012 09:05:11 -0800 

dfsadmin -refreshServiceAcl fails Kerb authentication with valid Kerb ticket, 
other subcommands succeed
-------------------------------------------------------------------------------------------------------

                 Key: HDFS-3001
                 URL: https://issues.apache.org/jira/browse/HDFS-3001
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: hdfs client
    Affects Versions: 0.23.1
            Reporter: patrick white


With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' 
still fails on Kerb authentication with
the following error:

bash-3.2$ /home/share/hadoop/bin/hdfs  --config /home/conf/hadoop/
dfsadmin -refreshServiceAcl
refreshServiceAcl: User hdfs/USER@DOMAIN (auth:KERBEROS) is not authorized for 
protocol
interface org.apache.hadoop.security.authorize.Refresh
AuthorizationPolicyProtocol, expected client Kerberos principal is null


However, other dfsadmin commands like '-printTopology', '-refreshNamenodes', 
'-safemode', '-report', which should use
the same privilege level, do not give authentication errors and work 
successfully:

-- kerb ticket --
bash-3.2$ klist -5
Ticket cache: FILE:/tmp/path/kbtickets/hdfs.kerberos.ticket
Default principal: hdfs/USER@DOMAIN

Valid starting     Expires            Service principal
01/18/12 23:59:53  01/19/12 23:59:53  krbtgt/USER@DOMAIN
        renew until 01/25/12 23:59:53

-- -printTopology subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs  --config /home/conf/hadoop/
dfsadmin -printTopology
Rack: /IPADDR1.0
   IPADDR2.43:1004 (HOST1.com)
   IPADDR3.44:1004 (HOST2.com)
   IPADDRn.60:1004 (HOSTn.com)

Rack: /default-rack
   HOSTr.com

-- -refreshNamenodes subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin  -fs hdfs://NNHOST:8020  -refreshNamenodes DNHOST:8020
bash-3.2$ echo $?
0

-- -safemode subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin  -fs hdfs://NNHOST:8020  -safemode get
Safe mode is OFF


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to