touchida commented on pull request #2135:
URL: https://github.com/apache/hadoop/pull/2135#issuecomment-661825717
@sunchao Thanks for your comment!
> curl -i
"http://<SECURE_DATANODE>:<PORT>/webhdfs/v1/<PATH>?op=OPEN&namenoderpcaddress=<SECURE_NAMENODE>&offset=0"
No, it won't work.
It will result in `AccessControlException` with `403` response code, as
follows.
```
$ curl -i
"http://<SECURE_DATANODE>:<PORT>/webhdfs/v1/<PATH>?op=OPEN&namenoderpcaddress=<SECURE_NAMENODE>&offset=0"
HTTP/1.1 403 Forbidden
(omitted)
{"RemoteException":{"exception":"IOException","javaClassName":"java.io.IOException","message":"DestHost:destPort
<SECURE_NAMENODE>:<PORT> , LocalHost:localPort <SECURE_DATANODE>:0. Failed on
local exception: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]"}}
```
The corresponding Datanode log is as follows:
```
2020-07-21 09:16:02,559 WARN org.apache.hadoop.ipc.Client: Exception
encountered while connecting to the server :
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]
2020-07-21 09:16:02,577 WARN org.apache.hadoop.ipc.Client: Exception
encountered while connecting to the server :
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]
2020-07-21 09:16:02,578 INFO
org.apache.hadoop.io.retry.RetryInvocationHandler: java.io.IOException:
DestHost:destPort <SECURE_NAMNODE>:<PORT> , LocalHost:localPort
<SECURE_DATANODE>:0. Failed on local exception: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS], while invoking
ClientNamenodeProtocolTranslatorPB.getBlockLocations over
<SECURE_NAMENODE>:<PORT> after 1 failover attempts. Trying to failover after
sleeping for 1224ms.
(omitted)
2020-07-21 09:18:40,881 INFO
org.apache.hadoop.io.retry.RetryInvocationHandler: java.io.IOException:
DestHost:destPort <SECURE_NAMNODE>:<PORT> , LocalHost:localPort
<SECURE_DATANODE>:0. Failed on local exception: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS], while invoking
ClientNamenodeProtocolTranslatorPB.getBlockLocations over
<SECURE_NAMENODE>:<PORT> after 14 failover attempts. Trying to failover after
sleeping for 20346ms.
(omitted)
2020-07-21 09:19:01,243 WARN org.apache.hadoop.ipc.Client: Exception
encountered while connecting to the server :
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]
```
This is because in the absence of delegation tokens,
`org.apache.hadoop.hdfs.server.datanode.web.webhdfs.WebHdfsHandler#channelRead0`
will create insecure `DFSClient`, which cannot talk to secure Namenode.
-
https://github.com/apache/hadoop/blob/da0006f/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/web/webhdfs/WebHdfsHandler.java#L261
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
