[
https://issues.apache.org/jira/browse/HADOOP-7215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13013761#comment-13013761
]
Todd Lipcon commented on HADOOP-7215:
-------------------------------------
I don't think this is quite right. It works when the IPC client is a server
with a principal like hdfs/dn1.foo.com@REALM. But two-part principals are also
used for other cases, eg tlipcon/admin@REALM. In this patch, won't that try to
bind the local socket of my IPC client to the non-host "admin"?
> RPC clients must connect over a network interface corresponding to the host
> name in the client's kerberos principal key
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-7215
> URL: https://issues.apache.org/jira/browse/HADOOP-7215
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Suresh Srinivas
> Assignee: Suresh Srinivas
> Fix For: 0.20.203.0, 0.23.0
>
> Attachments: HADOOP-7215.203.patch
>
>
> HDFS-7104 introduced a change where RPC server matches client's hostname with
> the hostname specified in the client's Kerberos principal name. RPC client
> binds the socket to a random local address, which might not match the
> hostname specified in the principal name. This results authorization failure
> of the client at the server.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
