[
https://issues.apache.org/jira/browse/IMPALA-7298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Ho updated IMPALA-7298:
-------------------------------
Description:
{{KrpcDataStreamSender}} passes a resolved IP address when creating a proxy.
Instead, we should pass both the resolved address and the hostname when
creating the proxy so that we won't end up using the IP address as the hostname
in the Kerberos principal.
Due to the oversight above, the following error may show up when running a
build of 2.12.0 when a user has Kerberos enabled and specified
{{impala/<some-hostname>@<some-domain>}} as the kerberos principal.
{noformat}
WARNINGS: TransmitData() to X.X.X.X:27000 failed: Not authorized: Client
connection negotiation failed: client connection to X.X.X.X:27000: Server
impala/x.x....@vpc.cloudera.com not found in Kerberos database
{noformat}
The workaround for this problem is to have {{rdns=true}} in {{/etc/krb5.conf}}.
was:
{{KrpcDataStreamSender}} passes a resolved IP address when creating a proxy.
Instead, we should pass both the resolved address and the FQDN when creating
the proxy so that we won't end up using the IP address as the hostname in the
Kerberos principal.
Due to the oversight above, the following error may show up when running a
build of 2.12.0 when a user has Kerberos enabled and specified
{{impala/<some-hostname>@<some-domain>}} as the kerberos principal.
{noformat}
WARNINGS: TransmitData() to X.X.X.X:27000 failed: Not authorized: Client
connection negotiation failed: client connection to X.X.X.X:27000: Server
impala/x.x....@vpc.cloudera.com not found in Kerberos database
{noformat}
The workaround for this problem is to have {{rdns=true}} in {{/etc/krb5.conf}}.
> Don't pass resolved IP address as hostname when creating proxy
> --------------------------------------------------------------
>
> Key: IMPALA-7298
> URL: https://issues.apache.org/jira/browse/IMPALA-7298
> Project: IMPALA
> Issue Type: Bug
> Components: Distributed Exec
> Affects Versions: Impala 2.12.0, Impala 3.1.0
> Reporter: Michael Ho
> Assignee: Michael Ho
> Priority: Critical
>
> {{KrpcDataStreamSender}} passes a resolved IP address when creating a proxy.
> Instead, we should pass both the resolved address and the hostname when
> creating the proxy so that we won't end up using the IP address as the
> hostname in the Kerberos principal.
> Due to the oversight above, the following error may show up when running a
> build of 2.12.0 when a user has Kerberos enabled and specified
> {{impala/<some-hostname>@<some-domain>}} as the kerberos principal.
> {noformat}
> WARNINGS: TransmitData() to X.X.X.X:27000 failed: Not authorized: Client
> connection negotiation failed: client connection to X.X.X.X:27000: Server
> impala/x.x....@vpc.cloudera.com not found in Kerberos database
> {noformat}
> The workaround for this problem is to have {{rdns=true}} in
> {{/etc/krb5.conf}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
