[
https://issues.apache.org/jira/browse/HDFS-17276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18027955#comment-18027955
]
ASF GitHub Bot commented on HDFS-17276:
---------------------------------------
github-actions[bot] commented on PR #6326:
URL: https://github.com/apache/hadoop/pull/6326#issuecomment-3374717685
We're closing this stale PR because it has been open for 100 days with no
activity. This isn't a judgement on the merit of the PR in any way. It's just a
way of keeping the PR queue manageable.
If you feel like this was a mistake, or you would like to continue working
on it, please feel free to re-open it and ask for a committer to remove the
stale tag and review again.
Thanks all for your contribution.
> The nn fetch editlog forbidden in kerberos environment
> ------------------------------------------------------
>
> Key: HDFS-17276
> URL: https://issues.apache.org/jira/browse/HDFS-17276
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: qjm, security
> Affects Versions: 3.3.5, 3.3.6
> Reporter: kuper
> Priority: Major
> Labels: pull-request-available
> Attachments: image-2023-12-06-20-21-03-557.png,
> image-2023-12-06-20-21-46-825.png
>
>
> * In a Kerberos environment, the namenode cannot fetch editlog from
> journalnode because the request is rejected (403).
> !image-2023-12-06-20-21-03-557.png!
> * GetJournalEditServlet checks if the request's username meets the
> requirements through the isValidRequestor function. After HDFS-16686 is
> merged, remotePrincipal becomes ugi.getUserName().
> * In a Kerberos environment, ugi.getUserName() gets the
> request.getRemoteUser() via DfsServlet's getUGI to get the username, and this
> username is not a full name.
> * Therefore, the obtained username is similar to namenode01 instead of
> namenode01/[email protected], which meansit fails to pass the isValidRequestor
> check. !image-2023-12-06-20-21-46-825.png!
> *reproduction*
> * In the TestGetJournalEditServlet add testSecurityRequestNameNode
> {code:java}
> @Test
> public void testSecurityRequestNameNode() throws IOException,
> ServletException {
> // Test: Make a request from a namenode
> CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
> UserGroupInformation.setConfiguration(CONF);
>
> HttpServletRequest request = mock(HttpServletRequest.class);
>
> when(request.getParameter(UserParam.NAME)).thenReturn("nn/[email protected]");
> when(request.getRemoteUser()).thenReturn("jn");
> boolean isValid = SERVLET.isValidRequestor(request, CONF);
>
> assertThat(isValid).isTrue();
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
