Should use long name for token renewer on the client side
---------------------------------------------------------
Key: MAPREDUCE-1959
URL: https://issues.apache.org/jira/browse/MAPREDUCE-1959
Project: Hadoop Map/Reduce
Issue Type: Bug
Components: security
Reporter: Kan Zhang
Assignee: Kan Zhang
When getting a delegation token from a NN, a client needs to specify the
renewer for the token. For use on a MapRed cluster, JT should be specified as
the renewer. However, in the current code, the client maps JT's long name
(Kerberos principal name) to cluster-internal short name and then sets the
short name as the renewer. This is undesirable for 2 reasons. 1) It's
unnecessary since NN (or JT) converts client-supplied renewer from long to
short name anyway. 2) In principle, the mapping from long to short name should
be done on the server. This is consistent with the authentication case, where
the client uses the same long name to authenticate to multiple servers and
servers map client's long name to their own internal short names. It
facilitates using the same job client to get delegation tokens from multiple
NN's, which may have different mapping rules for JT.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
