[
https://issues.apache.org/jira/browse/HDFS-14434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
KWON BYUNGCHANG updated HDFS-14434:
-----------------------------------
Description:
I have two secure hadoop cluster. Both cluster use cross-realm authentication.
[[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
by the way, hadoop username of [email protected] in B.COM realm is
cross_realm_a_com_user_a.
hdfs dfs command of [email protected] using B.COM webhdfs failed.
$ hdfs dfs -ls webhdfs://b.com:50070/
{{ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_usera}}
$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a'
{{{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Usernames not matched:
name=user_a != expected=cross_realm_a_com_user_a"}}}}
{{$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'}}
{{{"Token"{"urlString":"XgA....."}}}}
root cause is webhdfs that connect secure hdfs use user.name parameter.
according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs use
SPNEGO for authentication.
I think webhdfs that connect secure hdfs should not use user.name parameter.
I will attach patch.
was:
I have two secure hadoop cluster. Both cluster use cross-realm authentication.
[[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
by the way, hadoop username of [email protected] in B.COM realm is
cross_realm_a_com_user_a.
hdfs dfs command of [email protected] using B.COM webhdfs failed.
$ hdfs dfs -ls webhdfs://b.com:50070/
{{ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_usera}}
{{$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a' }}
{{{"RemoteException":\{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Usernames not matched:
name=user_a != expected=cross_realm_a_com_user_a"}}}}
{{$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'}}
{{{"Token"\{"urlString":"XgA....."}}}}
root cause is webhdfs that connect secure hdfs use user.name parameter.
according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs use
SPNEGO for authentication.
I think webhdfs that connect secure hdfs should not use user.name parameter.
I will attach patch.
> webhdfs that connect secure hdfs should not use user.name parameter
> -------------------------------------------------------------------
>
> Key: HDFS-14434
> URL: https://issues.apache.org/jira/browse/HDFS-14434
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 3.1.2
> Reporter: KWON BYUNGCHANG
> Priority: Minor
>
> I have two secure hadoop cluster. Both cluster use cross-realm
> authentication.
> [[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
> by the way, hadoop username of [email protected] in B.COM realm is
> cross_realm_a_com_user_a.
> hdfs dfs command of [email protected] using B.COM webhdfs failed.
>
> $ hdfs dfs -ls webhdfs://b.com:50070/
> {{ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_usera}}
>
> $ curl -u : --negotiate
> 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a'
> {{{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Usernames not
> matched: name=user_a != expected=cross_realm_a_com_user_a"}}}}
>
> {{$ curl -u : --negotiate
> 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'}}
> {{{"Token"{"urlString":"XgA....."}}}}
>
> root cause is webhdfs that connect secure hdfs use user.name parameter.
> according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs
> use SPNEGO for authentication.
>
> I think webhdfs that connect secure hdfs should not use user.name parameter.
> I will attach patch.
>
>
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
