[
https://issues.apache.org/jira/browse/HDDS-14064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gargi Jaiswal updated HDDS-14064:
---------------------------------
Description:
The configuration property
{code:java}
hdds.datanode.kerberos.principal{code}
in *ozone-default.xml* has an empty default value, while similar properties
for SCM and OM have defaults (SCM/_HOST@REALM and OM/_HOST@REALM respectively).
This inconsistency can lead to configuration errors in secure Ozone clusters.
*Current Behaviour:*
{code:java}
<property>
<name>hdds.datanode.kerberos.principal</name>
<value/> <!-- EMPTY -->
<tag>OZONE, DATANODE</tag>
<description>
The Datanode service principal. This is typically set to
dn/[email protected]. Each Datanode will substitute _HOST with its
own fully qualified hostname at startup. The _HOST placeholder
allows using the same configuration setting on all Datanodes.
</description>
</property> {code}
When unset, it falls back to the deprecated
{color:#de350b}dfs.datanode.kerberos.principal{color} via
*OzoneConfiguration.java* deprecation handling. This causes DN
*reconfiguration* or *diskbalancer* command issues where:
* {*}DataNode side{*}: hdds.datanode.kerberos.principal is empty, so it falls
back {color:#de350b}dfs.datanode.kerberos.principal{color} is set to
{color:#de350b}dn/_HOST@REALM{color} in dn ozone-site.xml . This is handled
correctly due to deprecating keys.
* {*}Client side{*}: hdds.datanode.kerberos.principal is not set in client
side ozone-site.xml, so it falls back to
{color:#de350b}dfs.datanode.kerberos.principal{color} from
{color:#de350b}hdfs-site.xm{color}l (e.g., hdfs/_HOST@REALM)
The mismatch between dn/_HOST@... and hdfs/_HOST@... causes reconfiguration and
diskbalancer command to fail for any client to dn cli. Right now to make these
commands work user need to explicity set the value of property in the
ozone-site.xml.
{code:java}
bash > ozone admin reconfig --service=DATANODE --in-service-datanodes properties
An error occurred while executing the command for :10.145.32.0:19864
java.lang.RuntimeException: java.io.IOException: DestHost:destPort
dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on local
exception: java.io.IOException: javax.security.sasl.SaslException: Bad Kerberos
server principal configuration
[Caused by java.lang.IllegalArgumentException: Server has invalid Kerberos
principal:dn/dn-host-1@REALM, expecting: hdfs/dn-host-1@REALM]
bash > ozone admin datanode diskbalancer start in-service-datanodes
An error occurred while executing the command for :10.145.32.0:19864
java.lang.RuntimeException: java.io.IOException: DestHost:destPort
dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on local
exception: java.io.IOException: javax.security.sasl.SaslException: Bad Kerberos
server principal configuration [Caused by java.lang.IllegalArgumentException:
Server has invalid Kerberos principal:dn/dn-host-1@REALM, expecting:
hdfs/dn-host-1@REALM]
{code}
was:
The configuration property
{code:java}
hdds.datanode.kerberos.principal{code}
in *ozone-default.xml* has an empty default value, while similar properties
for SCM and OM have defaults (SCM/_HOST@REALM and OM/_HOST@REALM respectively).
This inconsistency can lead to configuration errors in secure Ozone clusters.
*Current Behaviour:*
{code:java}
<property>
<name>hdds.datanode.kerberos.principal</name>
<value/> <!-- EMPTY -->
<tag>OZONE, DATANODE</tag>
<description>
The Datanode service principal. This is typically set to
dn/[email protected]. Each Datanode will substitute _HOST with its
own fully qualified hostname at startup. The _HOST placeholder
allows using the same configuration setting on all Datanodes.
</description>
</property> {code}
When unset, it falls back to the deprecated
{color:#de350b}dfs.datanode.kerberos.principal{color} via
*OzoneConfiguration.java* deprecation handling. This causes DN
*reconfiguration* or *diskbalancer* command issues where:
* {*}DataNode side{*}: hdds.datanode.kerberos.principal is empty, so it falls
back {color:#de350b}dfs.datanode.kerberos.principal{color} is set to
{color:#de350b}dn/_HOST@REALM{color} in dn ozone-site.xml . This is handled
correctly due to deprecating keys.
* {*}Client side{*}: hdds.datanode.kerberos.principal is not set in client
side ozone-site.xml, so it falls back to
{color:#de350b}dfs.datanode.kerberos.principal{color} from
{color:#de350b}hdfs-site.xm{color}l (e.g., hdfs/_HOST@REALM)
The mismatch between dn/_HOST@... and hdfs/_HOST@... causes reconfiguration and
diskbalancer command to fail. Right now to make these commands work user need
to explicity set the value of property in the ozone-site.xml.
{code:java}
bash > ozone admin reconfig --service=DATANODE --in-service-datanodes properties
An error occurred while executing the command for :10.145.32.0:19864
java.lang.RuntimeException: java.io.IOException: DestHost:destPort
dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on local
exception: java.io.IOException: javax.security.sasl.SaslException: Bad Kerberos
server principal configuration
[Caused by java.lang.IllegalArgumentException: Server has invalid Kerberos
principal:dn/dn-host-1@REALM, expecting: hdfs/dn-host-1@REALM]
bash > ozone admin datanode diskbalancer start in-service-datanodes
An error occurred while executing the command for :10.145.32.0:19864
java.lang.RuntimeException: java.io.IOException: DestHost:destPort
dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on local
exception: java.io.IOException: javax.security.sasl.SaslException: Bad Kerberos
server principal configuration [Caused by java.lang.IllegalArgumentException:
Server has invalid Kerberos principal:dn/dn-host-1@REALM, expecting:
hdfs/dn-host-1@REALM]
{code}
> Missing default value for "hdds.datanode.kerberos.principal
> ------------------------------------------------------------
>
> Key: HDDS-14064
> URL: https://issues.apache.org/jira/browse/HDDS-14064
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Gargi Jaiswal
> Assignee: Gargi Jaiswal
> Priority: Major
>
> The configuration property
> {code:java}
> hdds.datanode.kerberos.principal{code}
> in *ozone-default.xml* has an empty default value, while similar properties
> for SCM and OM have defaults (SCM/_HOST@REALM and OM/_HOST@REALM
> respectively). This inconsistency can lead to configuration errors in secure
> Ozone clusters.
> *Current Behaviour:*
> {code:java}
> <property>
> <name>hdds.datanode.kerberos.principal</name>
> <value/> <!-- EMPTY -->
> <tag>OZONE, DATANODE</tag>
> <description>
> The Datanode service principal. This is typically set to
> dn/[email protected]. Each Datanode will substitute _HOST with its
> own fully qualified hostname at startup. The _HOST placeholder
> allows using the same configuration setting on all Datanodes.
> </description>
> </property> {code}
>
> When unset, it falls back to the deprecated
> {color:#de350b}dfs.datanode.kerberos.principal{color} via
> *OzoneConfiguration.java* deprecation handling. This causes DN
> *reconfiguration* or *diskbalancer* command issues where:
> * {*}DataNode side{*}: hdds.datanode.kerberos.principal is empty, so it
> falls back {color:#de350b}dfs.datanode.kerberos.principal{color} is set to
> {color:#de350b}dn/_HOST@REALM{color} in dn ozone-site.xml . This is handled
> correctly due to deprecating keys.
> * {*}Client side{*}: hdds.datanode.kerberos.principal is not set in client
> side ozone-site.xml, so it falls back to
> {color:#de350b}dfs.datanode.kerberos.principal{color} from
> {color:#de350b}hdfs-site.xm{color}l (e.g., hdfs/_HOST@REALM)
> The mismatch between dn/_HOST@... and hdfs/_HOST@... causes reconfiguration
> and diskbalancer command to fail for any client to dn cli. Right now to make
> these commands work user need to explicity set the value of property in the
> ozone-site.xml.
>
> {code:java}
> bash > ozone admin reconfig --service=DATANODE --in-service-datanodes
> properties
> An error occurred while executing the command for :10.145.32.0:19864
> java.lang.RuntimeException: java.io.IOException: DestHost:destPort
> dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on
> local exception: java.io.IOException: javax.security.sasl.SaslException: Bad
> Kerberos server principal configuration
> [Caused by java.lang.IllegalArgumentException: Server has invalid Kerberos
> principal:dn/dn-host-1@REALM, expecting: hdfs/dn-host-1@REALM]
>
> bash > ozone admin datanode diskbalancer start in-service-datanodes
> An error occurred while executing the command for :10.145.32.0:19864
> java.lang.RuntimeException: java.io.IOException: DestHost:destPort
> dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on
> local exception: java.io.IOException: javax.security.sasl.SaslException: Bad
> Kerberos server principal configuration [Caused by
> java.lang.IllegalArgumentException: Server has invalid Kerberos
> principal:dn/dn-host-1@REALM, expecting: hdfs/dn-host-1@REALM]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
