[
https://issues.apache.org/jira/browse/HADOOP-7104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kan Zhang updated HADOOP-7104:
------------------------------
Attachment: c7104-01.patch
Attaching a patch that
1 . Passes InetAddress of the client to the authorization layer instead of
hostname. The reverse lookup from InetAddress to hostname is done only when
necessary.
2. Added a supporting utility method for substituting "_HOST" that takes
InetAddress instead of String.
3. Reverting the principal name checking from using shortname back to using
full kerberos principal name. Using the shortname, one can't check the hostname
part, i.e., whether the connection is coming from a host that the Kerberos key
is supposed to be used on.
> Remove unnecessary DNS reverse lookups from RPC layer
> -----------------------------------------------------
>
> Key: HADOOP-7104
> URL: https://issues.apache.org/jira/browse/HADOOP-7104
> Project: Hadoop Common
> Issue Type: Improvement
> Components: ipc, security
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Attachments: c7104-01.patch
>
>
> RPC connection authorization needs to verify client's Kerberos principal name
> matches what specified for the protocol. For service clients like DN's, their
> Kerberos principal names can be specified in the form of
> "datanode/[email protected]". To get the expected
> client principal name, the server needs to substitute "_HOST" with the
> client's fully qualified domain name, which requires a reverse DNS lookup
> from client IP address. However, for connections from clients whose principal
> name are either unspecified or specified not using the "_HOST" convention,
> the substitution is not required and the reverse DNS lookup should be
> avoided. Currently the reverse DNS lookup is done for all clients, which
> could slow services like NN down, when local named cache is not available.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
