[
https://issues.apache.org/jira/browse/HADOOP-10070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13804939#comment-13804939
]
Aaron T. Myers edited comment on HADOOP-10070 at 10/25/13 4:13 PM:
-------------------------------------------------------------------
This issue is impossible to reproduce without Kerberos enabled, so I'm going to
first upload the script I used to exercise this issue. This is obviously
specific to my environment, but the gist should be pretty clear. You'll see
that two separate {{Configuration}} objects are used to create two separate RPC
connections, neither of which contains the principal name for the other
service. Without the fix, the second RPC connection (to the YARN RM) will fail
with a "Failed to specify server's Kerberos principal name" error, even though
I did specify the principal name in the {{Configuration}} object for that
connection. With the fix, both connections succeed.
was (Author: atm):
This issue is impossible to reproduce with Kerberos enabled, so I'm going to
first upload the script I used to exercise this issue. This is obviously
specific to my environment, but the gist should be pretty clear. You'll see
that two separate {{Configuration}} objects are used to create two separate RPC
connections, neither of which contains the principal name for the other
service. Without the fix, the second RPC connection (to the YARN RM) will fail
with a "Failed to specify server's Kerberos principal name" error, even though
I did specify the principal name in the {{Configuration}} object for that
connection. With the fix, both connections succeed.
> RPC client doesn't use per-connection conf to determine server's expected
> Kerberos principal name
> -------------------------------------------------------------------------------------------------
>
> Key: HADOOP-10070
> URL: https://issues.apache.org/jira/browse/HADOOP-10070
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Attachments: HADOOP-10070.patch, TestKerberosClient.java
>
>
> Currently, RPC client caches the {{Configuration}} object that was passed in
> to its constructor and uses that same conf for every connection it sets up
> thereafter. This can cause problems when security is enabled if the
> {{Configuration}} object provided when the first RPC connection was made does
> not contain all possible entries for all server principals that will later be
> used by subsequent connections. When this happens, it will result in later
> RPC connections incorrectly failing with the error "Failed to specify
> server's Kerberos principal name" even though the principal name was
> specified in the {{Configuration}} object provided on later RPC connection
> attempts.
> I believe this means that we've inadvertently reintroduced HADOOP-6907.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
