[
https://issues.apache.org/jira/browse/HADOOP-7510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13100799#comment-13100799
]
Jitendra Nath Pandey commented on HADOOP-7510:
----------------------------------------------
> How about if I add a config option to control whether the new behavior in
> this patch is enabled.
This sounds ok. hostname should be added to token-service only if config is
enabled. It should be off by default. Those who don't want ip-failover will not
run into any surprises.
1) mapreduce.job.hdfs-servers is indeed used in this use-case, and that is how
the delegation token for all the namenodes involved will be obtained by the
jobClient when first job is submitted. But, the problem is still there because
the first jobClient is a new version client and it puts hostname in the token.
When a task of this first job tries to submit another job to a cluster of
earlier version, it can't get a new token issued because it doesn't have any
kerberos credentials for the user. The existing tokens must be passed along.
2) InetSocketAddress#getHostname javadoc states that it "returns the hostname
part of the address." It doesn't say it would be the same name/ip with which it
was instantiated. In fact java 7 document states that it may trigger a reverse
lookup. getHostString looks like a new API added in java 7.
3) I agree those changes have risks too.
> I'm not sure I understand why you think I'm not using standard java apis. The
> calls are all documented and the
> behavior is standard. I'm open to other means of determining exactly what
> string was used to instantiate the
> InetSocketAddress.
All I meant was that the assumption about the API may not work in all java
implementations. In Java 7, getHostString does guarantee no reverse lookup.
Unfortunately, that API is not in java 6.
> Tokens should use original hostname provided instead of ip
> ----------------------------------------------------------
>
> Key: HADOOP-7510
> URL: https://issues.apache.org/jira/browse/HADOOP-7510
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 0.20.205.0
>
> Attachments: HADOOP-7510-2.patch, HADOOP-7510-3.patch,
> HADOOP-7510-4.patch, HADOOP-7510.patch
>
>
> Tokens currently store the ip:port of the remote server. This precludes
> tokens from being used after a host's ip is changed. Tokens should store the
> hostname used to make the RPC connection. This will enable new processes to
> use their existing tokens.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
