[
https://issues.apache.org/jira/browse/HDFS-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13479668#comment-13479668
]
Ahad Rana commented on HDFS-4043:
---------------------------------
Hi Brahma,
Please disregard my last suggestion. Setting dfs.namenode.kerberos.principal or
dfs.namenode.kerberos.internal.spnego.principal to and explicit principal name
(instead of a pattern name with _HOST in it) triggers other bugs (see
HDFS-4081). The bottom line is that it is probably best to set the hostname of
the namenode to match exactly the name returned via a reverse-dns query
(getCanonicalName). You are right however, that your problems are a
manifestation of the same general bug (inconsistent resolution of canonical
principal name via different code paths). Most definitely, incoming IP based
connections need to use getCanonicalName to get back a host name that can be
used to form the proper principal name. Otherwise you will need to probably go
with IP based principal names ?
As mentioned above, I have reverted to setting the internal hostname for the
namenodes/secondary namenodes to exactly match the fully qualified hostname
returned via reverse-dns. And so far, things seems to be working properly now.
> Namenode Kerberos Login does not use proper hostname for host qualified hdfs
> principal name.
> --------------------------------------------------------------------------------------------
>
> Key: HDFS-4043
> URL: https://issues.apache.org/jira/browse/HDFS-4043
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0-alpha, 2.0.1-alpha, 2.0.2-alpha, 2.0.3-alpha
> Environment: CDH4U1 on Ubuntu 12.04
> Reporter: Ahad Rana
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> The Namenode uses the loginAsNameNodeUser method in NameNode.java to login
> using the hdfs principal. This method in turn invokes SecurityUtil.login with
> a hostname (last parameter) obtained via a call to InetAddress.getHostName.
> This call does not always return the fully qualified host name, and thus
> causes the namenode to login to fail due to kerberos's inability to find a
> matching hdfs principal in the hdfs.keytab file. Instead it should use
> InetAddress.getCanonicalHostName. This is consistent with what is used
> internally by SecurityUtil.java to login in other services, such as the
> DataNode.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
