[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Resolution: Fixed Fix Version/s: 2.5.0 Hadoop Flags: Reviewed Status: Resolved (was: Patch Available) Committed to trunk and branch-2. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Fix For: 2.5.0 Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Target Version/s: 2.5.0 (was: 2.4.0) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Status: Patch Available (was: Open) Submitting the patch since the dependency is checked in. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-10158: - Attachment: HADOOP-10158.patch Will submit when dependency HADOOP-10322 is integrated. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158-readkeytab.patch [~daryn] , I added a utility method in _KerberosUtil_ which reads a keytab file and returns all the principal names in it. Also wrote a unit test. If it looks good , I can provide a method which returns principals for a specified short name (eg. HTTP) . SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158-readkeytab.patch Attaching the partial patch which reads principals from keytab. This one compiles fine. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch, HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jason Lowe updated HADOOP-10158: Target Version/s: 2.4.0 (was: ) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[
https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HADOOP-10158:
-
Attachment: HADOOP-10158.patch
Dynamically use spnego principals in the keytab, including realm discovery for
the service hosts. Ideally the existing principal conf key can be removed in a
future jira. For now/compatibility, the principal will be immediately logged
if the key is set.
Introduced a {{SpnegoLoginManager}} that caches the interface's hostname to a
{{SpnegoLogin}}. {{SpnegoLogin}} contains a {{LoginContext}} or the exception
that caused the login failure. This allows negative caching of failed
interface hostnames, and returns the same exception to subsequent clients.
It's been tested on our secure clusters. @Benoy, would you please verify the
multi-realm support works? I tried to write tests by adding multi-realm support
to minikdc which mostly worked with a bit of manual hackery. I then realized
that a unit test has no hope of working on an offline machine - there's not an
interface other than localhost for using a second realm.
SPNEGO should work with multiple interfaces/SPNs.
-
Key: HADOOP-10158
URL: https://issues.apache.org/jira/browse/HADOOP-10158
Project: Hadoop Common
Issue Type: Bug
Affects Versions: 2.2.0
Reporter: Kihwal Lee
Assignee: Daryn Sharp
Priority: Critical
Attachments: HADOOP-10158.patch, HADOOP-10158.patch,
HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch,
HADOOP-10158_multiplerealms.patch
This is the list of internal servlets added by namenode.
| Name | Auth | Need to be accessible by end users |
| StartupProgressServlet | none | no |
| GetDelegationTokenServlet | internal SPNEGO | yes |
| RenewDelegationTokenServlet | internal SPNEGO | yes |
| CancelDelegationTokenServlet | internal SPNEGO | yes |
| FsckServlet | internal SPNEGO | yes |
| GetImageServlet | internal SPNEGO | no |
| ListPathsServlet | token in query | yes |
| FileDataServlet | token in query | yes |
| FileChecksumServlets | token in query | yes |
| ContentSummaryServlet | token in query | yes |
GetDelegationTokenServlet, RenewDelegationTokenServlet,
CancelDelegationTokenServlet and FsckServlet are accessed by end users, but
hard-coded to use the internal SPNEGO filter.
If a name node HTTP server binds to multiple external IP addresses, the
internal SPNEGO service principal name may not work with an address to which
end users are connecting. The current SPNEGO implementation in Hadoop is
limited to use a single service principal per filter.
If the underlying hadoop kerberos authentication handler cannot easily be
modified, we can at least create a separate auth filter for the end-user
facing servlets so that their service principals can be independently
configured. If not defined, it should fall back to the current behavior.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158_multiplerealms.patch Attaching a patch with the following changes for consideration: 1. Add _getServerPrincipals_ method in _SecurityUtil_ which handles multiple principals 2. Invoked it from _NameNodeHttpServer_ (for webhdfs) and _AuthenticationFilterInitializer_ (for external urls) in addition to _HttpServer_ (for internal urls) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Priority: Critical (was: Major) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158_multiplerealms.patch The change 1. store the principals in map servername-SPN in _init_ 2. Lookup SPN using servername in the URL SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoy Antony updated HADOOP-10158: -- Attachment: HADOOP-10158_multiplerealms.patch SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-10158: - Status: Patch Available (was: Open) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-10158: - Attachment: HADOOP-10158.patch This patch allows multiple principals to be specified via the existing conf key. There's effectively no functional change if only 1 principal is supplied. The main changes to the auth handler are: # Support logging in as multiple principals # Create the SPNEGO service principal based on the incoming interface No tests due to inherent difficulty of writing portable tests that require multi-interface hosts. It has been tested internally on secure grids. SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp Attachments: HADOOP-10158.patch This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Summary: SPNEGO should work with multiple interfaces/SPNs. (was: Some namenode servlets should not be internal.) SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Updated] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
[ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kihwal Lee updated HADOOP-10158: Assignee: Daryn Sharp SPNEGO should work with multiple interfaces/SPNs. - Key: HADOOP-10158 URL: https://issues.apache.org/jira/browse/HADOOP-10158 Project: Hadoop Common Issue Type: Bug Affects Versions: 2.2.0 Reporter: Kihwal Lee Assignee: Daryn Sharp This is the list of internal servlets added by namenode. | Name | Auth | Need to be accessible by end users | | StartupProgressServlet | none | no | | GetDelegationTokenServlet | internal SPNEGO | yes | | RenewDelegationTokenServlet | internal SPNEGO | yes | | CancelDelegationTokenServlet | internal SPNEGO | yes | | FsckServlet | internal SPNEGO | yes | | GetImageServlet | internal SPNEGO | no | | ListPathsServlet | token in query | yes | | FileDataServlet | token in query | yes | | FileChecksumServlets | token in query | yes | | ContentSummaryServlet | token in query | yes | GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter. If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO service principal name may not work with an address to which end users are connecting. The current SPNEGO implementation in Hadoop is limited to use a single service principal per filter. If the underlying hadoop kerberos authentication handler cannot easily be modified, we can at least create a separate auth filter for the end-user facing servlets so that their service principals can be independently configured. If not defined, it should fall back to the current behavior. -- This message was sent by Atlassian JIRA (v6.1.4#6159)
