[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Resolution: Fixed Fix Version/s: 2.5.0 Hadoop Flags: Reviewed Status: Resolved (was: Patch Available) Committed to trunk and branch-2. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Fix For: 2.5.0 Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Target Version/s: 2.5.0 (was: 2.4.0) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Status: Patch Available (was: Open) Submitting the patch since the dependency is checked in. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-10158: - Attachment: HADOOP-10158.patch Will submit when dependency HADOOP-10322 is integrated. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158-readkeytab.patch [~daryn] , I added a utility method in _KerberosUtil_ which reads a keytab file and returns all the principal names in it. Also wrote a unit test. If it looks good , I can provide a method which returns principals for a specified short name (eg. HTTP) . SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158-readkeytab.patch Attaching the partial patch which reads principals from keytab. This one compiles fine. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jason Lowe updated HADOOP-10158: Target Version/s: 2.4.0 (was: ) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-10158: - Attachment: HADOOP-10158.patch Dynamically use spnego principals in the keytab, including realm discovery for the service hosts. Ideally the existing principal conf key can be removed in a future jira. For now/compatibility, the principal will be immediately logged if the key is set. Introduced a {{SpnegoLoginManager}} that caches the interface's hostname to a {{SpnegoLogin}}. {{SpnegoLogin}} contains a {{LoginContext}} or the exception that caused the login failure. This allows negative caching of failed interface hostnames, and returns the same exception to subsequent clients. It's been tested on our secure clusters. @Benoy, would you please verify the multi-realm support works? I tried to write tests by adding multi-realm support to minikdc which mostly worked with a bit of manual hackery. I then realized that a unit test has no hope of working on an offline machine - there's not an interface other than localhost for using a second realm. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158_multiplerealms.patch Attaching a patch with the following changes for consideration: 1. Add _getServerPrincipals_ method in _SecurityUtil_ which handles multiple principals 2. Invoked it from _NameNodeHttpServer_ (for webhdfs) and _AuthenticationFilterInitializer_ (for external urls) in addition to _HttpServer_ (for internal urls) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Priority: Critical (was: Major) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158_multiplerealms.patch The change 1. store the principals in map servername-SPN in _init_ 2. Lookup SPN using servername in the URL SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158_multiplerealms.patch SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-10158: - Status: Patch Available (was: Open) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-10158: - Attachment: HADOOP-10158.patch This patch allows multiple principals to be specified via the existing conf key. There's effectively no functional change if only 1 principal is supplied. The main changes to the auth handler are: # Support logging in as multiple principals # Create the SPNEGO service principal based on the incoming interface No tests due to inherent difficulty of writing portable tests that require multi-interface hosts. It has been tested internally on secure grids. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Summary: SPNEGO should work with multiple interfaces/SPNs. (was: Some namenode servlets should not be internal.) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Assignee: Daryn Sharp SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.4#6159)