*Hi, Josh * *Let's call "hbase/[email protected] <[email protected]>" as host principal and "hbase/[email protected] <[email protected]>" as services principal。 * *In most services , like RegionServer on HBase or DataNode on HDFS, we should configure SASL bye hostname. *
*But when I do load balancing used such as Nginx with several thrift services , the client don't know which server he connect by SASL! * *So if SASL configured by hostname from DNS , not from principal, client can't work . * *But if we set host from principal , not only "host principal" still can work , but also "services principal".* 2018-03-15 0:32 GMT+08:00 Josh Elser <[email protected]>: > No, the principal should definitely get pulled from DNS. Remember that you > must consistently use the same naming to refer to a service when Kerberos > in the mix. This is why the FQDN (and DNS) is so important for services. > > Your issue seems to be that you have multiple different names for a single > service "thriftserver2" and "A" in your examples. > > Having inconsistent naming of nodes in your system will only add to the > confusion as, for most services in HBase and HDFS, they are only configured > to accept SASL-based RPCs for a single hostname. > > > On 3/14/18 11:03 AM, Weizhan Zeng wrote: > >> Hi, guys >> I use ThriftServer2 in kerberos , and I found some wrong when all >> server's principal is "hbase/[email protected]". >> when I look at the code and I found something maybe not right ! When we >> start Thrift Server , we get host from DNS >> >> if (securityEnabled) { >> host = Strings.domainNamePointerToHostName( >> DNS.getDefaultHost( >> conf.get("hbase.thrift.dns.interface", "default"), >> conf.get("hbase.thrift.dns.nameserver", "default"))); >> userProvider.login("hbase.thrift.keytab.file", >> "hbase.thrift.kerberos.principal", host); >> } >> >> Because my principal is "hbase/[email protected]", not >> "hbase/_ >> [email protected]", So when create TTransportFactory, the host is the >> real >> host name , for example A , but my principal user name is ""hbase/ >> [email protected]" >> not "hbase/[email protected]" >> >> TTransportFactory transportFactory = getTTransportFactory(qop, name, >> host, framed, >> conf.getInt("hbase.regionserver.thrift.framed.max_frame_size_in_mb", >> 2) * 1024 * 1024); >> >> when the client do open a transport like below, transport = >> TTransport.TSaslClientTransport(socket,"thriftserver2","hbase") , it will >> not be right , so I think we should get host from user , not the dns, >> like below , tell me is i am wrong , thank you ! >> >> host = org.apache.hadoop.security.SecurityUtil.getHostFromPrincipal >> (userProvider.getCurrent().getName()); >> >>
