[
https://issues.apache.org/jira/browse/HADOOP-12665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15088151#comment-15088151
]
Matt Foley commented on HADOOP-12665:
-------------------------------------
In branch-1 it was documented in
[core-default.xml|https://svn.apache.org/repos/asf/hadoop/common/branches/branch-1/src/core/core-default.xml]
as:
{code}
<property>
<name>hadoop.security.token.service.use_ip</name>
<value>true</value>
<description>Controls whether tokens always use IP addresses. DNS changes
will not be detected if this option is enabled. Existing client connections
that break will always reconnect to the IP of the original host. New clients
will connect to the host's new IP but fail to locate a token. Disabling
this option will allow existing and new clients to detect an IP change and
continue to locate the new host's token.
</description>
</property>
{code}
This resulted in a corresponding entry in
https://hadoop.apache.org/docs/r1.2.1/core-default.html
Apparently in branch-2 it was removed from core-default.xml, presumably because
it is a rarely used parameter. However, it still needs to be documented
somewhere because it is required for *multi-homed servers* if kerberos security
is enabled, as seen in certain customer complaints (that have not been reported
as Apache Jiras since they were resolved as misconfigurations rather than code
bugs). I have documented it thus:
bq. Parameters for Security Token service host resolution
bq. In secure multi-homed environments, the following parameter will need to be
set to false (it is true by default) on both cluster servers and clients (see
HADOOP-7733), in core-site.xml. If it is not set correctly, the symptom will
be inability to submit an application to YARN from an external client (with
error "client host not a member of the Hadoop cluster"), or even from an
in-cluster client if server failover occurs.
I'm including this as part of a white paper I'm writing on the whole topic of
multi-homed support. I was planning to integrate that into Apache Hadoop docs
when it is done in a couple weeks. So [~anu], if you like, you can reassign
this docs jira to me.
> Document hadoop.security.token.service.use_ip
> ---------------------------------------------
>
> Key: HADOOP-12665
> URL: https://issues.apache.org/jira/browse/HADOOP-12665
> Project: Hadoop Common
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 2.8.0
> Reporter: Arpit Agarwal
> Assignee: Anu Engineer
>
> {{hadoop.security.token.service.use_ip}} is not documented in 2.x/trunk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
