[
https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13875336#comment-13875336
]
Daryn Sharp commented on HADOOP-10158:
--------------------------------------
Deprecation is a good idea. We may want to consider just host and maybe realm
to satisfy Benoy's use case. The reason being that spnego mandates
HTTP/host@realm as the principal, so letting someone specify something other
than HTTP is just letting them shoot themselves in the foot - although I've
been abusing it for negative testing. ;)
Going back to the realm, I wonder if there's a way to let java figure out the
realm instead of blindly assuming the default realm? We should see if
LoginContext given HTTP/host will find the correct keytab entry instead of
assuming default realm.
Additionally, my first idea was to look for principals for all the interfaces
to which the web server is bound. If that's possible, no configuration key
would be required at all...
> SPNEGO should work with multiple interfaces/SPNs.
> -------------------------------------------------
>
> Key: HADOOP-10158
> URL: https://issues.apache.org/jira/browse/HADOOP-10158
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: Kihwal Lee
> Assignee: Daryn Sharp
> Attachments: HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch,
> HADOOP-10158_multiplerealms.patch
>
>
> This is the list of internal servlets added by namenode.
> | Name | Auth | Need to be accessible by end users |
> | StartupProgressServlet | none | no |
> | GetDelegationTokenServlet | internal SPNEGO | yes |
> | RenewDelegationTokenServlet | internal SPNEGO | yes |
> | CancelDelegationTokenServlet | internal SPNEGO | yes |
> | FsckServlet | internal SPNEGO | yes |
> | GetImageServlet | internal SPNEGO | no |
> | ListPathsServlet | token in query | yes |
> | FileDataServlet | token in query | yes |
> | FileChecksumServlets | token in query | yes |
> | ContentSummaryServlet | token in query | yes |
> GetDelegationTokenServlet, RenewDelegationTokenServlet,
> CancelDelegationTokenServlet and FsckServlet are accessed by end users, but
> hard-coded to use the internal SPNEGO filter.
> If a name node HTTP server binds to multiple external IP addresses, the
> internal SPNEGO service principal name may not work with an address to which
> end users are connecting. The current SPNEGO implementation in Hadoop is
> limited to use a single service principal per filter.
> If the underlying hadoop kerberos authentication handler cannot easily be
> modified, we can at least create a separate auth filter for the end-user
> facing servlets so that their service principals can be independently
> configured. If not defined, it should fall back to the current behavior.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
