[
https://issues.apache.org/jira/browse/HADOOP-9789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731261#comment-13731261
]
Daryn Sharp commented on HADOOP-9789:
-------------------------------------
If I understand the suggestion, per-NN SPN patterns requires conf updates every
time a new NN is "HA enabled" which kind of defeats the goal of not managing
conf changes. Then you have to contemplate do you key on the IP, the given
hostname, its canonicalized hostname, etc. I envision it being set to
something like "hdfs/*-nn?.domain@REALM".
As for #2, in the absence of a SPN pattern key, it will do exactly what it did
before.
> Support server advertised kerberos principals
> ---------------------------------------------
>
> Key: HADOOP-9789
> URL: https://issues.apache.org/jira/browse/HADOOP-9789
> Project: Hadoop Common
> Issue Type: New Feature
> Components: ipc, security
> Affects Versions: 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-9789.patch, HADOOP-9789.patch
>
>
> The RPC client currently constructs the kerberos principal based on the a
> config value, usually with an _HOST substitution. This means the service
> principal must match the hostname the client is using to connect. This
> causes problems:
> * Prevents using HA with IP failover when the servers have distinct
> principals from the failover hostname
> * Prevents clients from being able to access a service bound to multiple
> interfaces. Only the interface that matches the server's principal may be
> used.
> The client should be able to use the SASL advertised principal (HADOOP-9698),
> with appropriate safeguards, to acquire the correct service ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
