[ https://issues.apache.org/jira/browse/HADOOP-16457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892087#comment-16892087 ]
Eric Yang commented on HADOOP-16457: ------------------------------------ This problem is not related to HADOOP-16354. If dfs.datanode.kerberos.principal is set in namenode's hdfs-site.xml, then the ServiceAuthorizationManager expects the datanode username in kerberos principal format without checking hadoop.security.authentication == simple. The easy solution is removing dfs.datanode.kerberos.principal config from hdfs-site.xml. There might be enhancement in this area to make dfs.datanode.kerberos.principal config less abrupt to simple security setting. > Hadoop does not work without Kerberos for simple security > --------------------------------------------------------- > > Key: HADOOP-16457 > URL: https://issues.apache.org/jira/browse/HADOOP-16457 > Project: Hadoop Common > Issue Type: Bug > Affects Versions: 3.3.0 > Reporter: Eric Yang > Assignee: Prabhu Joseph > Priority: Major > > When http filter initializers is setup to use StaticUserWebFilter, AuthFilter > is still setup. This prevents datanode to talk to namenode. > Error message in namenode logs: > {code} > 2019-07-24 15:47:38,038 INFO org.apache.hadoop.hdfs.DFSUtil: Filter > initializers set : > org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.hdfs.web.AuthFilterInitializer > 2019-07-24 16:06:26,212 WARN > SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: > Authorization failed for hdfs (auth:SIMPLE) for protocol=interface > org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol: this service is only > accessible by dn/eyang-5.openstacklo...@example.com > {code} > Errors in datanode log: > {code} > 2019-07-24 16:07:01,253 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: > Problem connecting to server: eyang-1.openstacklocal/172.26.111.17:9000 > {code} > The logic in HADOOP-16354 always added AuthFilter regardless security is > enabled or not. This is incorrect. When simple security is chosen and using > StaticUserWebFilter. AutheFilter check should not be required for datanode > to communicate with namenode. -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org