[jira] [Commented] (HDFS-17276) The nn fetch editlog forbidden in kerberos environment

Mon, 11 Dec 2023 19:33:05 -0800 


    [ 
https://issues.apache.org/jira/browse/HDFS-17276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17795582#comment-17795582
 ] 

ASF GitHub Bot commented on HDFS-17276:
---------------------------------------

gp1314 commented on PR #6326:
URL: https://github.com/apache/hadoop/pull/6326#issuecomment-1851244732

   @sunchao , could you please make a cr for this modification? I would be very 
grateful.




> The nn fetch editlog forbidden in kerberos environment
> ------------------------------------------------------
>
>                 Key: HDFS-17276
>                 URL: https://issues.apache.org/jira/browse/HDFS-17276
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: qjm, security
>    Affects Versions: 3.3.5, 3.3.6
>            Reporter: kuper
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: image-2023-12-06-20-21-03-557.png, 
> image-2023-12-06-20-21-46-825.png
>
>
> * In a Kerberos environment, the namenode cannot fetch editlog from 
> journalnode because the request is rejected (403).  
> !image-2023-12-06-20-21-03-557.png!
>  * GetJournalEditServlet checks if the request's username meets the 
> requirements through the isValidRequestor function. After HDFS-16686 is 
> merged, remotePrincipal becomes ugi.getUserName().
>  * In a Kerberos environment, ugi.getUserName() gets the 
> request.getRemoteUser() via DfsServlet's getUGI to get the username, and this 
> username is not a full name.
>  * Therefore, the obtained username is similar to namenode01 instead of 
> namenode01/hos...@realm.tld, which meansit fails to pass the isValidRequestor 
> check.  !image-2023-12-06-20-21-46-825.png!
> *reproduction*
>  * In the TestGetJournalEditServlet add testSecurityRequestNameNode
> {code:java}
> @Test
> public void testSecurityRequestNameNode() throws IOException, 
> ServletException {
>   // Test: Make a request from a namenode
>   CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
>   UserGroupInformation.setConfiguration(CONF);
>   
>   HttpServletRequest request = mock(HttpServletRequest.class);
>     
> when(request.getParameter(UserParam.NAME)).thenReturn("nn/localh...@realm.tld");
>   when(request.getRemoteUser()).thenReturn("jn");
>   boolean isValid = SERVLET.isValidRequestor(request, CONF);
>   
>   assertThat(isValid).isTrue();
> } {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to