[
https://issues.apache.org/jira/browse/HADOOP-7104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12981567#action_12981567
]
Todd Lipcon commented on HADOOP-7104:
-------------------------------------
Uploaded review here:
https://reviews.apache.org/r/316/diff/
Comments to follow later today.
> Remove unnecessary DNS reverse lookups from RPC layer
> -----------------------------------------------------
>
> Key: HADOOP-7104
> URL: https://issues.apache.org/jira/browse/HADOOP-7104
> Project: Hadoop Common
> Issue Type: Improvement
> Components: ipc, security
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Attachments: c7104-01.patch
>
>
> RPC connection authorization needs to verify client's Kerberos principal name
> matches what specified for the protocol. For service clients like DN's, their
> Kerberos principal names can be specified in the form of
> "datanode/[email protected]". To get the expected
> client principal name, the server needs to substitute "_HOST" with the
> client's fully qualified domain name, which requires a reverse DNS lookup
> from client IP address. However, for connections from clients whose principal
> name are either unspecified or specified not using the "_HOST" convention,
> the substitution is not required and the reverse DNS lookup should be
> avoided. Currently the reverse DNS lookup is done for all clients, which
> could slow services like NN down, when local named cache is not available.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
