KWON BYUNGCHANG created HDFS-14434:
--------------------------------------
Summary: webhdfs that connect secure hdfs should not use user.name
parameter
Key: HDFS-14434
URL: https://issues.apache.org/jira/browse/HDFS-14434
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 3.1.2
Reporter: KWON BYUNGCHANG
I have two secure hadoop cluster. Both cluster use cross-realm authentication.
[[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
by the way, hadoop username of [email protected] in B.COM realm is
cross_realm_a_com_user_a.
hdfs dfs command of [email protected] using B.COM webhdfs failed.
$ hdfs dfs -ls webhdfs://b.com:50070/
{{ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_usera}}
{{$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a' }}
{{{"RemoteException":\{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Usernames not matched:
name=user_a != expected=cross_realm_a_com_user_a"}}}}
{{$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'}}
{{{"Token"\{"urlString":"XgA....."}}}}
root cause is webhdfs that connect secure hdfs use user.name parameter.
according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs use
SPNEGO for authentication.
I think webhdfs that connect secure hdfs should not use user.name parameter.
I will attach patch.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
