Some concepts need to be clarified before further discussions.
A host principal should be "host/FQDN@REALM", host is the keyword for a host
principal,
NOT bq. Let's call... as host principal...
A service principal should be "service_name/FDQN@REALM", so
hbase/_h...@domain.com is also a service principal, not a host principal.
> client don't know which server he connect by SASL
FDQN shall let a client know which thrift he is going to connect.
bq. But if we set host from principal, not only "host principal" still can
work, but also "service principal"
�A host principal can serve as the same function as service principal, except
that it refers to the host as a whole as opposed to any specific service.
________________________________
From: Weizhan Zeng <qgweiz...@gmail.com>
Sent: 15 March 2018 10:00:32
To: dev@hbase.apache.org
Subject: Re: TSaslServerTransport.TSaslServerDefinition serverName should get
from principal , not DNS
*Hi, Josh *
*Let's call "hbase/_h...@domain.com <h...@domain.com>" as host principal
and "hbase/thriftserv...@domain.com <thriftserv...@domain.com>" as services
principal。 *
*In most services , like RegionServer on HBase or DataNode on HDFS, we
should configure SASL bye hostname. *
*But when I do load balancing used such as Nginx with several thrift
services , the client don't know which server he connect by SASL! *
*So if SASL configured by hostname from DNS , not from principal, client
can't work . *
*But if we set host from principal , not only "host principal" still can
work , but also "services principal".*
2018-03-15 0:32 GMT+08:00 Josh Elser <els...@apache.org>:
> No, the principal should definitely get pulled from DNS. Remember that you
> must consistently use the same naming to refer to a service when Kerberos
> in the mix. This is why the FQDN (and DNS) is so important for services.
>
> Your issue seems to be that you have multiple different names for a single
> service "thriftserver2" and "A" in your examples.
>
> Having inconsistent naming of nodes in your system will only add to the
> confusion as, for most services in HBase and HDFS, they are only configured
> to accept SASL-based RPCs for a single hostname.
>
>
> On 3/14/18 11:03 AM, Weizhan Zeng wrote:
>
>> Hi, guys
>> I use ThriftServer2 in kerberos , and I found some wrong when all
>> server's principal is "hbase/thriftserv...@domain.com".
>> when I look at the code and I found something maybe not right ! When we
>> start Thrift Server , we get host from DNS
>>
>> if (securityEnabled) {
>> host = Strings.domainNamePointerToHostName(
>> DNS.getDefaultHost(
>> conf.get("hbase.thrift.dns.interface", "default"),
>> conf.get("hbase.thrift.dns.nameserver", "default")));
>> userProvider.login("hbase.thrift.keytab.file",
>> "hbase.thrift.kerberos.principal", host);
>> }
>>
>> Because my principal is "hbase/thriftserv...@domain.com", not
>> "hbase/_
>> h...@domain.com", So when create TTransportFactory, the host is the
>> real
>> host name , for example A , but my principal user name is ""hbase/
>> thriftserv...@domain.com"
>> not "hbase/a...@domain.com"
>>
>> TTransportFactory transportFactory = getTTransportFactory(qop, name,
>> host, framed,
>> conf.getInt("hbase.regionserver.thrift.framed.max_frame_size_in_mb",
>> 2) * 1024 * 1024);
>>
>> when the client do open a transport like below, transport =
>> TTransport.TSaslClientTransport(socket,"thriftserver2","hbase") , it will
>> not be right , so I think we should get host from user , not the dns,
>> like below , tell me is i am wrong , thank you !
>>
>> host = org.apache.hadoop.security.SecurityUtil.getHostFromPrincipal
>> (userProvider.getCurrent().getName());
>>
>>
