[ https://issues.apache.org/jira/browse/HDFS-16686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577460#comment-17577460 ]
ASF GitHub Bot commented on HDFS-16686: --------------------------------------- snmvaughan opened a new pull request, #4724: URL: https://github.com/apache/hadoop/pull/4724 ### Description of PR GetJournalEditServlet uses request.getRemoteuser() to determine the remoteShortName for Kerberos authorization, which fails to match when the JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>). This can be fixed by using the UserGroupInformation provided by the base DfsServlet class using the getUGI(request, conf) call. ### How was this patch tested? Integration tests were performed against an HA configuration running in Kubernetes, running Java 11. With the patch, exceptions which had previously reported expected Kerberos principals which included an IP address string were eliminated. ### For code changes: - [X] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')? - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, `NOTICE-binary` files? > GetJournalEditServlet fails to authorize valid Kerberos request > --------------------------------------------------------------- > > Key: HDFS-16686 > URL: https://issues.apache.org/jira/browse/HDFS-16686 > Project: Hadoop HDFS > Issue Type: Improvement > Components: journal-node > Environment: Running in Kubernetes using Java 11 in an HA > configuration. JournalNodes run on separate pods and have their own Kerberos > principal "jn/<hostname>@<realm>". > Reporter: Steve Vaughan > Assignee: Steve Vaughan > Priority: Major > > GetJournalEditServlet uses request.getRemoteuser() to determine the > remoteShortName for Kerberos authorization, which fails to match when the > JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>). > This can be fixed by using the UserGroupInformation provided by the base > DfsServlet class using the getUGI(request, conf) call. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org