kuper created HDFS-17276:
----------------------------
Summary: The nn fetch editlog failed in kerberos environment
Key: HDFS-17276
URL: https://issues.apache.org/jira/browse/HDFS-17276
Project: Hadoop HDFS
Issue Type: Bug
Components: qjm, security
Affects Versions: 3.3.6, 3.3.5
Reporter: kuper
Attachments: image-2023-12-06-20-21-03-557.png,
image-2023-12-06-20-21-46-825.png
* In a Kerberos environment, the namenode cannot fetch editlog from journalnode
because the request is rejected (403). !image-2023-12-06-20-21-03-557.png!
* GetJournalEditServlet checks if the request's username meets the
requirements through the isValidRequestor function. After HDFS-16686 is merged,
remotePrincipal becomes ugi.getUserName().
* In a Kerberos environment, ugi.getUserName() gets the
request.getRemoteUser() via DfsServlet's getUGI to get the username, and this
username is not a full name.
* Therefore, the obtained username is similar to namenode01 instead of
namenode01/host01@@REALM.TLD, which meansit fails to pass the isValidRequestor
check. !image-2023-12-06-20-21-46-825.png!
*reproduction*
* In the TestGetJournalEditServlet add testSecurityRequestNameNode
{code:java}
@Test
public void testSecurityRequestNameNode() throws IOException, ServletException {
// Test: Make a request from a namenode
CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(CONF);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getParameter(UserParam.NAME)).thenReturn("nn/[email protected]");
when(request.getRemoteUser()).thenReturn("jn");
boolean isValid = SERVLET.isValidRequestor(request, CONF);
assertThat(isValid).isTrue();
} {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
