[
https://issues.apache.org/jira/browse/HDFS-6666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14391003#comment-14391003
]
Chris Nauroth commented on HDFS-6666:
-------------------------------------
Actually, I've been meaning to propose that we remove the startKdc profile and
migrate existing tests that use it to look more like the tests I wrote for
HDFS-2856. For an example, see {{TestSaslDataTransfer}} and its base class
{{SaslDataTransferTestCase}}. You might find it useful to extend that same
base class.
These tests work by depending on the hadoop-minikdc project instead of an
external Apache Directory Server distro URL. They also enable SASL on data
transfer protocol and SSL on the web servers, so there is no need for root or
trying to set backdoor properties to skip some of the security checks.
> Abort NameNode and DataNode startup if security is enabled but block access
> token is not enabled.
> -------------------------------------------------------------------------------------------------
>
> Key: HDFS-6666
> URL: https://issues.apache.org/jira/browse/HDFS-6666
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: datanode, namenode, security
> Affects Versions: 3.0.0, 2.5.0
> Reporter: Chris Nauroth
> Assignee: Vijay Bhat
> Priority: Minor
>
> Currently, if security is enabled by setting hadoop.security.authentication
> to kerberos, but HDFS block access tokens are disabled by setting
> dfs.block.access.token.enable to false (which is the default), then the
> NameNode logs an error and proceeds, and the DataNode proceeds without even
> logging an error. This jira proposes that this it's invalid to turn on
> security but not turn on block access tokens, and that it would be better to
> fail fast and abort the daemons during startup if this happens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
