[hadoop] branch branch-2.10 updated: HADOOP-12665. Document hadoop.security.token.service.use_ip. (#3187)

Sun, 11 Jul 2021 18:20:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

aajisaka pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/hadoop.git


The following commit(s) were added to refs/heads/branch-2.10 by this push:
     new 992d2c5  HADOOP-12665. Document hadoop.security.token.service.use_ip. 
(#3187)
992d2c5 is described below

commit 992d2c5f4e5041f5c3b34ec0517ef0c352ed0e3a
Author: Akira Ajisaka <aajis...@apache.org>
AuthorDate: Mon Jul 12 10:16:13 2021 +0900

    HADOOP-12665. Document hadoop.security.token.service.use_ip. (#3187)
    
    Reviewed-by: Masatake Iwasaki <iwasak...@apache.org>
    Reviewed-by: Chris Nauroth <cnaur...@apache.org>
    (cherry picked from commit c81f82e21d137b6d45c20c481e7bbc6160d72f94)
---
 .../src/main/resources/core-default.xml             | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git 
a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml 
b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 15e515f..584c633 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -646,6 +646,27 @@
   </description>
 </property>
 
+  <property>
+    <name>hadoop.security.token.service.use_ip</name>
+    <value>true</value>
+    <description>
+      Controls whether tokens always use IP addresses.
+      DNS changes will not be detected if this option is enabled.
+      Existing client connections that break will always reconnect
+      to the IP of the original host. New clients will connect
+      to the host's new IP but fail to locate a token.
+      Disabling this option will allow existing and new clients
+      to detect an IP change and continue to locate the new host's token.
+
+      In secure multi-homed environments, this parameter will need to
+      be set to false on both cluster servers and clients (see HADOOP-7733).
+      If it is not set correctly, the symptom will be inability to
+      submit an application to YARN from an external client
+      (with error "client host not a member of the Hadoop cluster"),
+      or even from an in-cluster client if server failover occurs.
+    </description>
+  </property>
+
 <property>
   <name>hadoop.workaround.non.threadsafe.getpwuid</name>
   <value>true</value>

---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org

Reply via email to