[
https://issues.apache.org/jira/browse/HDFS-14136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Surendra Singh Lilhore updated HDFS-14136:
------------------------------------------
Description:
!image-2018-12-10-17-54-33-361.png!
ZKDelegationTokenSecretManager use only first part of principal to set the
znode ACL's.
We can use *{{KerberosName#getShortName()}}* method for getting the principal
based upon rules configured in *{{hadoop.security.auth_to_local}}*and setting
the ACL.
was:
!image-2018-12-10-17-54-33-361.png!
If no rule {{kerberos.removeRealmFromPrincipal=true }} and {{
kerberos.removeHostFromPrincipal=true }} is defined to remove host and realm
from the principal, then authorization fails as full Principal is passed for
auth but set one is splitted one..
We can use *{{KerberosName#getShortName()}}* method for getting the principal
based upon rules configured in *{{hadoop.security.auth_to_local}}*and setting
the ACL.
> ZKDelegationTokenSecretManager should use KerberosName#getShortName to get
> the user name for ZK ACL
> ---------------------------------------------------------------------------------------------------
>
> Key: HDFS-14136
> URL: https://issues.apache.org/jira/browse/HDFS-14136
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Shubham Dewan
> Priority: Blocker
> Attachments: HDFS-14136.001.patch, image-2018-12-10-17-54-33-361.png
>
>
> !image-2018-12-10-17-54-33-361.png!
> ZKDelegationTokenSecretManager use only first part of principal to set the
> znode ACL's.
> We can use *{{KerberosName#getShortName()}}* method for getting the principal
> based upon rules configured in *{{hadoop.security.auth_to_local}}*and setting
> the ACL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
