[jira] [Commented] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.

Fri, 17 Jan 2014 14:18:35 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13875315#comment-13875315
 ] 

Daryn Sharp commented on HADOOP-10158:
--------------------------------------

[~tucu00], I'm a bit hesitant to add yet another config key when extending the 
existing key to support multiple values seems straightforward and compatible.  
If there were two keys and both are defined, what should we do?  Parse them 
both?

KerberosUtil.getServicePrincipal is already handling the lowercasing and 
subbing of null with the hostname.

I'll look at Benoy's patch too.

> SPNEGO should work with multiple interfaces/SPNs.
> -------------------------------------------------
>
>                 Key: HADOOP-10158
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10158
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.2.0
>            Reporter: Kihwal Lee
>            Assignee: Daryn Sharp
>         Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, 
> HADOOP-10158_multiplerealms.patch
>
>
> This is the list of internal servlets added by namenode.
> | Name | Auth | Need to be accessible by end users |
> | StartupProgressServlet | none | no |
> | GetDelegationTokenServlet | internal SPNEGO | yes |
> | RenewDelegationTokenServlet | internal SPNEGO | yes |
> |  CancelDelegationTokenServlet | internal SPNEGO | yes |
> |  FsckServlet | internal SPNEGO | yes |
> |  GetImageServlet | internal SPNEGO | no |
> |  ListPathsServlet | token in query | yes |
> |  FileDataServlet | token in query | yes |
> |  FileChecksumServlets | token in query | yes |
> | ContentSummaryServlet | token in query | yes |
> GetDelegationTokenServlet, RenewDelegationTokenServlet, 
> CancelDelegationTokenServlet and FsckServlet are accessed by end users, but 
> hard-coded to use the internal SPNEGO filter.
> If a name node HTTP server binds to multiple external IP addresses, the 
> internal SPNEGO service principal name may not work with an address to which 
> end users are connecting.  The current SPNEGO implementation in Hadoop is 
> limited to use a single service principal per filter.
> If the underlying hadoop kerberos authentication handler cannot easily be 
> modified, we can at least create a separate auth filter for the end-user 
> facing servlets so that their service principals can be independently 
> configured. If not defined, it should fall back to the current behavior.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to