Ahad Rana created HDFS-4081:
-------------------------------
Summary: NamenodeProtocol and other Secure Protocols should use
different config keys for serverPrincipal and clientPrincipal KerberosInfo
components
Key: HDFS-4081
URL: https://issues.apache.org/jira/browse/HDFS-4081
Project: Hadoop HDFS
Issue Type: Bug
Components: security
Affects Versions: 2.0.2-alpha, 2.0.1-alpha, 2.0.0-alpha, 2.0.3-alpha
Reporter: Ahad Rana
The Namenode protocol (NamenodeProtocol.java) defines the same config key,
dfs.namenode.kerberos.principal, for both ServerPrincipal and ClientPrincipal
components of the KerberosInfo data structure. This overloads the meaning of
the dfs.namenode.kerberos.principal config key. This key can be used to define
the namenode's principal during startup, but in the client case, it is used by
ServiceAuthorizationManager.authorize to create a principal name given an
incoming client's ip address. If you explicitly set the principal name for the
namenode in the Config using this key, it then breaks
ServiceAuthorizationManager.authorize, because it expects this same value to
contain a Kerberos principal name pattern NOT an explicit name.
The solve this issue, the ServerPrincipal and ClientPrincipal components of the
NamenodeProtocol should each be assigned unique Config keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
