[ https://issues.apache.org/jira/browse/MAPREDUCE-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kan Zhang updated MAPREDUCE-1959: --------------------------------- Attachment: m1959-01.patch A trivial patch. > Should use long name for token renewer on the client side > --------------------------------------------------------- > > Key: MAPREDUCE-1959 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1959 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security > Reporter: Kan Zhang > Assignee: Kan Zhang > Attachments: m1959-01.patch > > > When getting a delegation token from a NN, a client needs to specify the > renewer for the token. For use on a MapRed cluster, JT should be specified as > the renewer. However, in the current code, the client maps JT's long name > (Kerberos principal name) to cluster-internal short name and then sets the > short name as the renewer. This is undesirable for 2 reasons. 1) It's > unnecessary since NN (or JT) converts client-supplied renewer from long to > short name anyway. 2) In principle, the mapping from long to short name > should be done on the server. This is consistent with the authentication > case, where the client uses the same long name to authenticate to multiple > servers and servers map client's long name to their own internal short names. > It facilitates using the same job client to get delegation tokens from > multiple NN's, which may have different mapping rules for JT. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.