[
https://issues.apache.org/jira/browse/HDFS-17276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17845069#comment-17845069
]
ASF GitHub Bot commented on HDFS-17276:
---------------------------------------
hadoop-yetus commented on PR #6326:
URL: https://github.com/apache/hadoop/pull/6326#issuecomment-2103056076
:confetti_ball: **+1 overall**
| Vote | Subsystem | Runtime | Logfile | Comment |
|:----:|----------:|--------:|:--------:|:-------:|
|||| _ Prechecks _ |
| +1 :green_heart: | dupname | 0m 02s | | No case conflicting files
found. |
| +0 :ok: | spotbugs | 0m 00s | | spotbugs executables are not
available. |
| +0 :ok: | codespell | 0m 01s | | codespell was not available. |
| +0 :ok: | detsecrets | 0m 01s | | detect-secrets was not available.
|
| +1 :green_heart: | @author | 0m 00s | | The patch does not contain
any @author tags. |
| +1 :green_heart: | test4tests | 0m 00s | | The patch appears to
include 3 new or modified test files. |
|||| _ trunk Compile Tests _ |
| +1 :green_heart: | mvninstall | 127m 17s | | trunk passed |
| +1 :green_heart: | compile | 10m 24s | | trunk passed |
| +1 :green_heart: | checkstyle | 7m 33s | | trunk passed |
| +1 :green_heart: | mvnsite | 10m 26s | | trunk passed |
| +1 :green_heart: | javadoc | 9m 20s | | trunk passed |
| +1 :green_heart: | shadedclient | 212m 35s | | branch has no errors
when building and testing our client artifacts. |
|||| _ Patch Compile Tests _ |
| +1 :green_heart: | mvninstall | 6m 58s | | the patch passed |
| +1 :green_heart: | compile | 5m 19s | | the patch passed |
| +1 :green_heart: | javac | 5m 19s | | the patch passed |
| +1 :green_heart: | blanks | 0m 00s | | The patch has no blanks
issues. |
| +1 :green_heart: | checkstyle | 3m 45s | | the patch passed |
| +1 :green_heart: | mvnsite | 6m 33s | | the patch passed |
| +1 :green_heart: | javadoc | 5m 14s | | the patch passed |
| +1 :green_heart: | shadedclient | 226m 54s | | patch has no errors
when building and testing our client artifacts. |
|||| _ Other Tests _ |
| +1 :green_heart: | asflicense | 8m 28s | | The patch does not
generate ASF License warnings. |
| | | 609m 15s | | |
| Subsystem | Report/Notes |
|----------:|:-------------|
| GITHUB PR | https://github.com/apache/hadoop/pull/6326 |
| Optional Tests | dupname asflicense compile javac javadoc mvninstall
mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets |
| uname | MINGW64_NT-10.0-17763 4cdb66d2f064 3.4.10-87d57229.x86_64
2024-02-14 20:17 UTC x86_64 Msys |
| Build tool | maven |
| Personality | /c/hadoop/dev-support/bin/hadoop.sh |
| git revision | trunk / 74263653dbc9a16564d41d2a8bcd975d47d5d93f |
| Default Java | Azul Systems, Inc.-1.8.0_332-b09 |
| Test Results |
https://ci-hadoop.apache.org/job/hadoop-multibranch-windows-10/job/PR-6326/2/testReport/
|
| modules | C: hadoop-hdfs-project/hadoop-hdfs U:
hadoop-hdfs-project/hadoop-hdfs |
| Console output |
https://ci-hadoop.apache.org/job/hadoop-multibranch-windows-10/job/PR-6326/2/console
|
| versions | git=2.44.0.windows.1 |
| Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
This message was automatically generated.
> The nn fetch editlog forbidden in kerberos environment
> ------------------------------------------------------
>
> Key: HDFS-17276
> URL: https://issues.apache.org/jira/browse/HDFS-17276
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: qjm, security
> Affects Versions: 3.3.5, 3.3.6
> Reporter: kuper
> Priority: Major
> Labels: pull-request-available
> Attachments: image-2023-12-06-20-21-03-557.png,
> image-2023-12-06-20-21-46-825.png
>
>
> * In a Kerberos environment, the namenode cannot fetch editlog from
> journalnode because the request is rejected (403).
> !image-2023-12-06-20-21-03-557.png!
> * GetJournalEditServlet checks if the request's username meets the
> requirements through the isValidRequestor function. After HDFS-16686 is
> merged, remotePrincipal becomes ugi.getUserName().
> * In a Kerberos environment, ugi.getUserName() gets the
> request.getRemoteUser() via DfsServlet's getUGI to get the username, and this
> username is not a full name.
> * Therefore, the obtained username is similar to namenode01 instead of
> namenode01/hos...@realm.tld, which meansit fails to pass the isValidRequestor
> check. !image-2023-12-06-20-21-46-825.png!
> *reproduction*
> * In the TestGetJournalEditServlet add testSecurityRequestNameNode
> {code:java}
> @Test
> public void testSecurityRequestNameNode() throws IOException,
> ServletException {
> // Test: Make a request from a namenode
> CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
> UserGroupInformation.setConfiguration(CONF);
>
> HttpServletRequest request = mock(HttpServletRequest.class);
>
> when(request.getParameter(UserParam.NAME)).thenReturn("nn/localh...@realm.tld");
> when(request.getRemoteUser()).thenReturn("jn");
> boolean isValid = SERVLET.isValidRequestor(request, CONF);
>
> assertThat(isValid).isTrue();
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
