[
https://issues.apache.org/jira/browse/HDFS-14390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813856#comment-16813856
]
Ashvin commented on HDFS-14390:
-------------------------------
Hi [~daryn] Thanks for looking at the changes.
When authentication method is {{Kerberos}}, a client (DN/NN in this case)
invokes {{SaslRpcClient.getServerPrincipal}} to setup a secure connection. If
{{Provided storage}} is also enabled, {{getServerPrincipal}} in turn tries to
find server principal for the {{AliasMap}} protocol. It was absent earlier.
This change, see {{AliasMapProtocolPB}}, provides the server principal.
I agree that the authz/acl related changes could be part of a different PR. The
{{FSTreeWalk}} changes are needed for the tool to establish a secure
connection. Does this change qualify a new PR?
I can post a new patch with the changes related to {{AliasMapProtocol}}
authentication in this PR. Please let me know if you have any other suggestions.
> Provide kerberos support for AliasMap service used by Provided storage
> ----------------------------------------------------------------------
>
> Key: HDFS-14390
> URL: https://issues.apache.org/jira/browse/HDFS-14390
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Ashvin
> Assignee: Ashvin
> Priority: Major
> Attachments: HDFS-14390.001.patch, HDFS-14390.002.patch,
> HDFS-14390.003.patch
>
>
> With {{PROVIDED}} storage (-HDFS-9806)-, HDFS can address data stored in
> external storage systems. This feature is not supported in a secure HDFS
> cluster. The {{AliasMap}} service does not support kerberos, and as a result
> the cluster nodes will fail to communicate with it. This JIRA is to enable
> kerberos support for the {{AliasMap}} service.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
