[
https://issues.apache.org/jira/browse/MAPREDUCE-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kan Zhang updated MAPREDUCE-1959:
---------------------------------
Attachment: m1959-01.patch
A trivial patch.
> Should use long name for token renewer on the client side
> ---------------------------------------------------------
>
> Key: MAPREDUCE-1959
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-1959
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: security
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Attachments: m1959-01.patch
>
>
> When getting a delegation token from a NN, a client needs to specify the
> renewer for the token. For use on a MapRed cluster, JT should be specified as
> the renewer. However, in the current code, the client maps JT's long name
> (Kerberos principal name) to cluster-internal short name and then sets the
> short name as the renewer. This is undesirable for 2 reasons. 1) It's
> unnecessary since NN (or JT) converts client-supplied renewer from long to
> short name anyway. 2) In principle, the mapping from long to short name
> should be done on the server. This is consistent with the authentication
> case, where the client uses the same long name to authenticate to multiple
> servers and servers map client's long name to their own internal short names.
> It facilitates using the same job client to get delegation tokens from
> multiple NN's, which may have different mapping rules for JT.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
