[
https://issues.apache.org/jira/browse/HADOOP-12549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17161765#comment-17161765
]
Chao Sun commented on HADOOP-12549:
-----------------------------------
Thanks [~elgoiri] and [~hexiaoqiao]! To give a bit context, this config
{{dfs.namenode.kerberos.principal.pattern}} is already set to {{*}} in default
for HDFS in {{hdfs-default.xml}} by HDFS-7546 (not HDFS-7456 in the title),.
However, in some cases the default value is not honored:
# some applications may only depend on hadoop-hdfs-client but not hadoop-hdfs,
which will not use the {{hdfs-default.xml}}.
# applications may choose to initialize a {{Configuration}} via {{new
Configuration(false)}}, which will skip the default settings altogether.
We recently hit this issue when upgrading our routers from non-secure to
secure. In our environment we use different Kerberos primary for router and
hdfs, e.g., routers use principal {{router/<instance>@<realm>}} while namenodes
use {{hdfs/<instance>@<realm>}}. When clients trying to talk to both they will
fail with something like:
{code:java}
Failed on local exception: java.io.IOException: Couldn't set up IO streams:
java.lang.IllegalArgumentException: Server has invalid Kerberos principal:
router/<instance>@<realm>, expecting: hdfs/<instance>@<realm>;
{code}
it took quite some efforts for us to find out all the clients that are exposed
to this and fix their configurations. In retrospect, this patch would have made
things much easier.
With that said, I don't pretend to be a security expert and would like to hear
opinions from other folks above. cc [~kihwal] also who reviewed the original
patch of this feature.
> Extend HDFS-7456 default generically to all pattern lookups
> -----------------------------------------------------------
>
> Key: HADOOP-12549
> URL: https://issues.apache.org/jira/browse/HADOOP-12549
> Project: Hadoop Common
> Issue Type: Improvement
> Components: ipc, security
> Affects Versions: 2.7.1
> Reporter: Harsh J
> Priority: Minor
> Attachments: HADOOP-12549.002.patch, HADOOP-12549.patch
>
>
> In HDFS-7546 we added a hdfs-default.xml property to bring back the regular
> behaviour of trusting all principals (as was the case before HADOOP-9789).
> However, the change only targeted HDFS users and also only those that used
> the default-loading mechanism of Configuration class (i.e. not {{new
> Configuration(false)}} users).
> I'd like to propose adding the same default to the generic RPC client code
> also, so the default affects all form of clients equally.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
