[
https://issues.apache.org/jira/browse/HADOOP-16361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861617#comment-16861617
]
Eric Yang commented on HADOOP-16361:
------------------------------------
The root cause is incorrect regex for parsing kerberos principal to trigger
auth_to_local mapping look up. In the test case, zookeeper/localhost is not a
kerberos principal, but branch-2 logic will attempt to apply auth_to_local
mapping and found no match to cause test case to fail. The test case exposes
the implementation issue in Hadoop's approach for parsing Kerberos principal.
According to [~daryn]'s comment in
[HADOOP-16214|https://issues.apache.org/jira/browse/HADOOP-16214?focusedCommentId=16813851&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16813851]
stated:
{quote}That's incorrect. It supports interop between secure clients and
insecure servers. Insecure servers treats principals as principals, else as the
short name used by insecure clients.{quote}
If the above statement needs to remain true, we need to refine KerberosName
parsing strategy, and formalize
(zookeeper/[email protected]).getShortName() ==
(zookeeper/localhost).getShortName().
One such implementation is offered in HADOOP-16214 patch 013, but it needs some
work to match branch 2 implementation. HADOOP-16214 is not committed,
therefore, take my advice with cautions.
> TestSecureLogins#testValidKerberosName fails on branch-2
> --------------------------------------------------------
>
> Key: HADOOP-16361
> URL: https://issues.apache.org/jira/browse/HADOOP-16361
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.10.0, 2.9.2, 2.8.5
> Reporter: Jim Brennan
> Priority: Major
>
> This test is failing in branch-2.
> {noformat}
> [ERROR] Tests run: 11, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:
> 26.917 s <<< FAILURE! - in org.apache.hadoop.registry.secure.TestSecureLogins
> [ERROR]
> testValidKerberosName(org.apache.hadoop.registry.secure.TestSecureLogins)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to zookeeper/localhost
> at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:401)
> at
> org.apache.hadoop.registry.secure.TestSecureLogins.testValidKerberosName(TestSecureLogins.java:182)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
> at
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
> at
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
> at
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
> at
> org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
> at
> org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
> at
> org.junit.internal.runners.statements.FailOnTimeout$StatementThread.run(FailOnTimeout.java:74)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
