[jira] [Commented] (HDFS-4081) NamenodeProtocol and other Secure Protocols should use different config keys for serverPrincipal and clientPrincipal KerberosInfo components

Fri, 19 Oct 2012 00:56:04 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-4081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13479780#comment-13479780
 ] 

Ahad Rana commented on HDFS-4081:
---------------------------------

Hi Aaron,

Upon further investigation, I think my bug and HDFS-2264 are reaching
different conclusions as to why clientPrototocl should be represented by a
different config key. I wonder if there are two different bugs surfacing
here ?

Ahad.



                
> NamenodeProtocol and other Secure Protocols should use different config keys 
> for serverPrincipal and clientPrincipal KerberosInfo components 
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-4081
>                 URL: https://issues.apache.org/jira/browse/HDFS-4081
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0-alpha, 2.0.1-alpha, 2.0.2-alpha, 2.0.3-alpha
>            Reporter: Ahad Rana
>
> The Namenode protocol (NamenodeProtocol.java) defines the same config key, 
> dfs.namenode.kerberos.principal, for both ServerPrincipal and ClientPrincipal 
> components of the KerberosInfo data structure. This overloads the meaning of 
> the dfs.namenode.kerberos.principal config key. This key can be used to 
> define the namenode's principal during startup, but in the client case, it is 
> used by ServiceAuthorizationManager.authorize to create a principal name 
> given an incoming client's ip address. If you explicitly set the principal 
> name for the namenode in the Config using this key, it then breaks 
> ServiceAuthorizationManager.authorize, because it expects this same value to 
> contain a Kerberos principal name pattern NOT an explicit name. 
> The solve this issue, the ServerPrincipal and ClientPrincipal components of 
> the NamenodeProtocol should each be assigned unique Config keys.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to