[
https://issues.apache.org/jira/browse/HADOOP-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14590722#comment-14590722
]
Allen Wittenauer commented on HADOOP-12096:
-------------------------------------------
Last I knew, properly configured/secured *clients* should properly be
canonicalizing the involved principal names. This is especially important when
multiple Kerberos realms are configured so that the client knows which
x-realm(s) to use to get there. There pretty much is no way to map an IP addr
to a realm that I can remember.
There's also the problem of multi-homed hosts. You really want to use *one
name* not lots. Yes, you can use KDC aliasing mapping, etc to work around some
of these problems, but that's really impractical operationally, especially when
the KDC isn't owned by the team running Hadoop.
> Rest API failing when ip configured in RM address in secure https mode
> ----------------------------------------------------------------------
>
> Key: HADOOP-12096
> URL: https://issues.apache.org/jira/browse/HADOOP-12096
> Project: Hadoop Common
> Issue Type: Bug
> Components: net, security
> Reporter: Bibin A Chundatt
> Assignee: Bibin A Chundatt
> Priority: Critical
> Attachments: 0001-HADOOP-12096.patch, 0001-YARN-3810.patch,
> 0002-YARN-3810.patch
>
>
> Steps to reproduce
> ===============
> 1.Configure hadoop.http.authentication.kerberos.principal as below
> {code:xml}
> <property>
> <name>hadoop.http.authentication.kerberos.principal</name>
> <value>HTTP/[email protected]</value>
> </property>
> {code}
> 2. In RM web address also configure IP
> 3. Startup RM
> Call Rest API for RM {{ curl -i -k --insecure --negotiate -u : https IP
> /ws/v1/cluster/info"}}
> *Actual*
> Rest API failing
> {code}
> 2015-06-16 19:03:49,845 DEBUG
> org.apache.hadoop.security.authentication.server.AuthenticationFilter:
> Authentication exception: GSSException: No valid credentials provided
> (Mechanism level: Failed to find any Kerberos credentails)
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos credentails)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
> at
> org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter.doFilter(RMAuthenticationFilter.java:82)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
