No, the principal should definitely get pulled from DNS. Remember that
you must consistently use the same naming to refer to a service when
Kerberos in the mix. This is why the FQDN (and DNS) is so important for
services.
Your issue seems to be that you have multiple different names for a
single service "thriftserver2" and "A" in your examples.
Having inconsistent naming of nodes in your system will only add to the
confusion as, for most services in HBase and HDFS, they are only
configured to accept SASL-based RPCs for a single hostname.
On 3/14/18 11:03 AM, Weizhan Zeng wrote:
Hi, guys
I use ThriftServer2 in kerberos , and I found some wrong when all
server's principal is "hbase/thriftserv...@domain.com".
when I look at the code and I found something maybe not right ! When we
start Thrift Server , we get host from DNS
if (securityEnabled) {
host = Strings.domainNamePointerToHostName(
DNS.getDefaultHost(
conf.get("hbase.thrift.dns.interface", "default"),
conf.get("hbase.thrift.dns.nameserver", "default")));
userProvider.login("hbase.thrift.keytab.file",
"hbase.thrift.kerberos.principal", host);
}
Because my principal is "hbase/thriftserv...@domain.com", not "hbase/_
h...@domain.com", So when create TTransportFactory, the host is the real
host name , for example A , but my principal user name is ""hbase/
thriftserv...@domain.com"
not "hbase/a...@domain.com"
TTransportFactory transportFactory = getTTransportFactory(qop, name,
host, framed,
conf.getInt("hbase.regionserver.thrift.framed.max_frame_size_in_mb",
2) * 1024 * 1024);
when the client do open a transport like below, transport =
TTransport.TSaslClientTransport(socket,"thriftserver2","hbase") , it will
not be right , so I think we should get host from user , not the dns,
like below , tell me is i am wrong , thank you !
host =
org.apache.hadoop.security.SecurityUtil.getHostFromPrincipal(userProvider.getCurrent().getName());
