Jihyun Cho created HDFS-14375:
---------------------------------
Summary: DataNode cannot serve BlockPool to multiple NameNodes in
the different realm
Key: HDFS-14375
URL: https://issues.apache.org/jira/browse/HDFS-14375
Project: Hadoop HDFS
Issue Type: Bug
Components: security
Affects Versions: 3.1.1
Reporter: Jihyun Cho
Attachments: authorize.patch
Let me explain the environment for a description.
{noformat}
KDC(TEST1.COM) <-- Cross-realm trust --> KDC(TEST2.COM)
| |
NameNode1 NameNode2
| |
---------- DataNodes (federated) ----------
{noformat}
We configured the secure clusters and federated them.
But DataNodes could not connect to NameNode1 with below error.
{noformat}
WARN
SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager:
Authorization failed for dn/hadoop-datanode.test....@test2.com (auth:KERBEROS)
for protocol=interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol:
this service is only accessible by dn/hadoop-datanode.test....@test1.com
{noformat}
We have avoided the error with attached patch.
The patch checks only using {{username}} and {{hostname}} except {{realm}}.
I think there is no problem. Because if realms are different and no cross-realm
setting, they cannot communication each other. If you are worried about this,
please let me know.
In the long run, it would be better if I could set multiple realms for
authorize. Like this;
{noformat}
<property>
<name>dfs.namenode.kerberos.trust-realms</name>
<value>TEST1.COM,TEST2.COM</value>
</property>
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
