Some concepts need to be clarified before further discussions.
A host principal should be "host/FQDN@REALM", host is the keyword for a host principal, NOT bq. Let's call... as host principal... A service principal should be "service_name/FDQN@REALM", so hbase/_h...@domain.com is also a service principal, not a host principal. > client don't know which server he connect by SASL FDQN shall let a client know which thrift he is going to connect. bq. But if we set host from principal, not only "host principal" still can work, but also "service principal" A host principal can serve as the same function as service principal, except that it refers to the host as a whole as opposed to any specific service. ________________________________ From: Weizhan Zeng <qgweiz...@gmail.com> Sent: 15 March 2018 10:00:32 To: dev@hbase.apache.org Subject: Re: TSaslServerTransport.TSaslServerDefinition serverName should get from principal , not DNS *Hi, Josh * *Let's call "hbase/_h...@domain.com <h...@domain.com>" as host principal and "hbase/thriftserv...@domain.com <thriftserv...@domain.com>" as services principal。 * *In most services , like RegionServer on HBase or DataNode on HDFS, we should configure SASL bye hostname. * *But when I do load balancing used such as Nginx with several thrift services , the client don't know which server he connect by SASL! * *So if SASL configured by hostname from DNS , not from principal, client can't work . * *But if we set host from principal , not only "host principal" still can work , but also "services principal".* 2018-03-15 0:32 GMT+08:00 Josh Elser <els...@apache.org>: > No, the principal should definitely get pulled from DNS. Remember that you > must consistently use the same naming to refer to a service when Kerberos > in the mix. This is why the FQDN (and DNS) is so important for services. > > Your issue seems to be that you have multiple different names for a single > service "thriftserver2" and "A" in your examples. > > Having inconsistent naming of nodes in your system will only add to the > confusion as, for most services in HBase and HDFS, they are only configured > to accept SASL-based RPCs for a single hostname. > > > On 3/14/18 11:03 AM, Weizhan Zeng wrote: > >> Hi, guys >> I use ThriftServer2 in kerberos , and I found some wrong when all >> server's principal is "hbase/thriftserv...@domain.com". >> when I look at the code and I found something maybe not right ! When we >> start Thrift Server , we get host from DNS >> >> if (securityEnabled) { >> host = Strings.domainNamePointerToHostName( >> DNS.getDefaultHost( >> conf.get("hbase.thrift.dns.interface", "default"), >> conf.get("hbase.thrift.dns.nameserver", "default"))); >> userProvider.login("hbase.thrift.keytab.file", >> "hbase.thrift.kerberos.principal", host); >> } >> >> Because my principal is "hbase/thriftserv...@domain.com", not >> "hbase/_ >> h...@domain.com", So when create TTransportFactory, the host is the >> real >> host name , for example A , but my principal user name is ""hbase/ >> thriftserv...@domain.com" >> not "hbase/a...@domain.com" >> >> TTransportFactory transportFactory = getTTransportFactory(qop, name, >> host, framed, >> conf.getInt("hbase.regionserver.thrift.framed.max_frame_size_in_mb", >> 2) * 1024 * 1024); >> >> when the client do open a transport like below, transport = >> TTransport.TSaslClientTransport(socket,"thriftserver2","hbase") , it will >> not be right , so I think we should get host from user , not the dns, >> like below , tell me is i am wrong , thank you ! >> >> host = org.apache.hadoop.security.SecurityUtil.getHostFromPrincipal >> (userProvider.getCurrent().getName()); >> >>