[ https://issues.apache.org/jira/browse/HADOOP-6647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12886952#action_12886952 ]
Owen O'Malley commented on HADOOP-6647: --------------------------------------- Allen, The Namenode's configuration defines the mapping from long names to short names. It defaults to: *...@your.domain -> * With that mapping, someone coming in from another domain will fail, even with the cross-realm stuff set up. h...@bad.domain fails.... At Yahoo, we have two domains and we have rules for exactly how they map, but they amount to: *...@ygrid.yahoo.com -> * *...@corp.yahoo.com -> * So those two realms work, but anything else will fail. Depending on the translation that operations defines, they *can* make a cluster insecure. j...@corp.yahoo.com -> root would be really convenient for joe, but not secure. *grin* > balancer fails with "is not authorized for protocol interface > NamenodeProtocol" in secure environment > ----------------------------------------------------------------------------------------------------- > > Key: HADOOP-6647 > URL: https://issues.apache.org/jira/browse/HADOOP-6647 > Project: Hadoop Common > Issue Type: Bug > Reporter: Boris Shkolnik > Assignee: Boris Shkolnik > Attachments: HADOOP-6647-BP20.patch, HADOOP-6647.patch > > > user logs in as hdfs/someth...@something and tries to run balancer. > balancer is using NameNode Protocol which authorizes based on server > principal key. > but NameNode key is hdfs/_h...@.. now. so it fails. > To fix we need to compare the short names only. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.