[
https://issues.apache.org/jira/browse/HADOOP-6647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12886952#action_12886952
]
Owen O'Malley commented on HADOOP-6647:
---------------------------------------
Allen,
The Namenode's configuration defines the mapping from long names to short
names. It defaults to:
*...@your.domain -> *
With that mapping, someone coming in from another domain will fail, even with
the cross-realm stuff set up.
h...@bad.domain fails....
At Yahoo, we have two domains and we have rules for exactly how they map, but
they amount to:
*...@ygrid.yahoo.com -> *
*...@corp.yahoo.com -> *
So those two realms work, but anything else will fail. Depending on the
translation that operations defines, they *can* make a cluster insecure.
j...@corp.yahoo.com -> root
would be really convenient for joe, but not secure. *grin*
> balancer fails with "is not authorized for protocol interface
> NamenodeProtocol" in secure environment
> -----------------------------------------------------------------------------------------------------
>
> Key: HADOOP-6647
> URL: https://issues.apache.org/jira/browse/HADOOP-6647
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Boris Shkolnik
> Assignee: Boris Shkolnik
> Attachments: HADOOP-6647-BP20.patch, HADOOP-6647.patch
>
>
> user logs in as hdfs/someth...@something and tries to run balancer.
> balancer is using NameNode Protocol which authorizes based on server
> principal key.
> but NameNode key is hdfs/_h...@.. now. so it fails.
> To fix we need to compare the short names only.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
