Steve Vaughan created HDFS-16686:
------------------------------------
Summary: GetJournalEditServlet fails to authorize valid Kerberos
request
Key: HDFS-16686
URL: https://issues.apache.org/jira/browse/HDFS-16686
Project: Hadoop HDFS
Issue Type: Improvement
Components: journal-node
Environment: Running in Kubernetes using Java 11 in an HA
configuration. JournalNodes run on separate pods and have their own Kerberos
principal "jn/<hostname>@<realm>".
Reporter: Steve Vaughan
GetJournalEditServlet uses request.getRemoteuser() to determine the
remoteShortName for Kerberos authorization, which fails to match when the
JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>).
This can be fixed by using the UserGroupInformation provided by the base
DfsServlet class using the getUGI(request, conf) call.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
